Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HELP - cannot make self-signed cert for postfix - SOLVED
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2115
Location: Kentucky

PostPosted: Tue Jun 11, 2013 1:48 am    Post subject: HELP - cannot make self-signed cert for postfix - SOLVED Reply with quote

This topic has appeared here in the past, but always with different variations. Last post I could find was 2 years ago. :(

After 18 years of running sendmail, I am building a new mail server with postfix by following:

http://www.gentoo.org/doc/en/virt-mail-howto.xml

When I get to the section named "5. SSL Certs for Postfix and Apache", I followed the directions:
Code:

# cd misc
# ./CA.pl -newreq-nodes
# ./CA.pl -newca
# ./CA.pl -sign
# cp newcert.pem /etc/postfix
# cp newkey.pem /etc/postfix
# cp demoCA/cacert.pem /etc/postfix

But the copy operations fail because:
Code:

hophni misc # cd /etc/ssl/misc
hophni misc # ./CA.pl -newreq-nodes
Generating a 1024 bit RSA private key
...............++++++
.......................++++++
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [KY]:
Locality Name [Warsaw]:
Organization Name [Elijah Laboratories Inc.]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) [elilabs.com]:
Email Address [root@elilabs.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
hophni misc # ./CA.pl -newca
hophni misc # ./CA.pl -sign
Using configuration from /etc/ssl/openssl.cnf
unable to load CA private key
140398339446440:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY
Signed certificate is in newcert.pem
hophni misc # ls -latr
total 48
-rwxr-xr-x 1 root root 6419 Jun 10 12:58 tsget
-rwxr-xr-x 1 root root  110 Jun 10 12:58 c_name
-rwxr-xr-x 1 root root  112 Jun 10 12:58 c_issuer
-rwxr-xr-x 1 root root  152 Jun 10 12:58 c_info
-rwxr-xr-x 1 root root  119 Jun 10 12:58 c_hash
-rwxr-xr-x 1 root root 5175 Jun 10 12:58 CA.sh
-rwxr-xr-x 1 root root 5679 Jun 10 12:58 CA.pl
drwxr-xr-x 6 root root   94 Jun 10 20:36 ..
drwxr-xr-x 6 root root   89 Jun 10 20:37 demoCA
-rw-r--r-- 1 root root  692 Jun 10 21:44 newreq.pem
-rw-r--r-- 1 root root  916 Jun 10 21:44 newkey.pem
drwxr-xr-x 3 root root  143 Jun 10 21:44 .
hophni misc # find . -name 'newcert.pem' -print
hophni misc #

As you can see, it lied when it said, "Signed certificate is in newcert.pem"; there is no newcert.pem :!:

So what bit rot has occurred since the Guide was written :?:

The problem seems to be "unable to load CA private key", but why, and what is the fix :?:
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.


Last edited by Moriah on Sun Jun 23, 2013 2:24 am; edited 1 time in total
Back to top
View user's profile Send private message
DawgG
l33t
l33t


Joined: 17 Sep 2003
Posts: 808

PostPosted: Tue Jun 11, 2013 9:18 am    Post subject: Reply with quote

i haven't done this with postfix lately (only with apache, squid), but i found it best to put sensible values into openssl.cnf before running CA.pl.
just back up the original one and write the stuff you need into the new one (can also save quite a bit of typing)
Quote:
140398339446440:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY

oh yes, those openssl-errors look scary, but usually it's just "file not found" because some (preset) paths are wrong.
GOOD LUCK!
_________________
DUMM KLICKT GUT.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2115
Location: Kentucky

PostPosted: Sun Jun 23, 2013 2:23 am    Post subject: Reply with quote

This was solved in another thread.

See:

https://forums.gentoo.org/viewtopic-t-962516-highlight-.html?sid=f99188c8008f07f13904914e1916f343
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum