[SoCoSA/discuss] exim TLS cert problem

Kevan Benson kbenson at a-1networks.com
Thu Aug 27 15:51:27 PDT 2009 

You may want to check that the files didn't get mixed up in some manner:

openssl x509 -in /path/to/certificate.crt -text

If the www cert is actually there in place of the mail cert, hopefully 
you have it backed up somewhere else (or at least have the mail key 
file, so you can ask for a re-issue).

Sean wrote:
> Kevan, thank you that openssl command was very helpful. It shows the
> www cert being passed for my secure email ports (pop, imap). Now I
> just have to figure out why it's not using the defined values to send
> the mail certs.
> 
> Nicholas thank you for that link. I read that document yesterday and I
> did not find anything useful. I'll probably read it again if I can
> find the time.
> 
> 
> Sean
> 
> 
> On Thu, Aug 27, 2009 at 9:53 AM, Nicholas
> Potterton<n.potterton at yahoo.co.uk> wrote:
>> look in here sean
>>
>> perhaps there is something for you here
>>
>> http://www.exim.org/exim-html-3.20/doc/html/spec_38.html
>>
>> --- On Thu, 8/27/09, Sean <seanvanco at gmail.com> wrote:
>>
>>
>> From: Sean <seanvanco at gmail.com>
>> Subject: Re: [SoCoSA/discuss] exim TLS cert problem
>> To: n.potterton at yahoo.co.uk, "SoCoSA general discussion list" <discuss at socosa.org>
>> Date: Thursday, August 27, 2009, 9:40 AM
>>
>>
>> Thank you for the replies. The cert is valid until December of this year.
>>
>> Perhaps a better explanation of the error message would help. It states:
>>
>> "The server you are connected to is using a security certificate that
>> could not be verified.
>>
>> The certificate's name does not match the passed value.
>>
>> Do you want to continue using this server? Yes/No"
>>
>> Does this help clarify matters? It does not seem to be rejecting the
>> issuer, and it did not when I first installed the cert. If anything
>> has changed to affect this I'm afraid that I don't know what it could
>> be.
>>
>> Sean
>>
>>
>> --- On Thu, 8/27/09, Sean <seanvanco at gmail.com> wrote:
>>
>>
>> From: Sean <seanvanco at gmail.com>
>> Subject: [SoCoSA/discuss] exim TLS cert problem
>> To: "SoCoSA general discussion list" <discuss at socosa.org>
>> Date: Thursday, August 27, 2009, 8:51 AM
>>
>>
>> I'm hoping that someone can help me with a security certificate
>> problem with my exim server. This has worked in the past and I don't
>> know why it is not working now.
>>
>> The situation is that my mail and web servers reside on the same box.
>> I have two security certificates installed, one for www.domain.com and
>> one for mail.domain.com. I have my exim server configured to use the
>> mail.domain.com cert for TLS (exim.conf entries below), but when a
>> Windows client (i.e. Outlook) uses TLS, it says that there is a
>> problem with the security cert and that the CN does not match the
>> server name. It is probably grabbing the www cert instead of the mail
>> cert, but I see no way to verify this or why it would be happening.
>>
>> exim.conf excerpt:
>>
>> # SSL/TLS cert and key
>> tls_certificate = /etc/exim.cert
>> tls_privatekey = /etc/exim.key
>>
>> tls_advertise_hosts = *
>>
>> I had my certificate vendor confirm that the security cert listed
>> above is the mail cert.
>>
>> My kmail program on Linux is not complaining of this problem (and
>> according to /var/log/mail.log on the server the POP connection IS
>> using TLS for the kmail app), but I do not know of a way to check to
>> see what certs either client is using. Also, I'm not the only one
>> having this problem with the TLS on my server, so I suspect it would
>> happen for any user on any computer.
>>
>> I'm using Debian Etch 32-bit and exim 4 (the latest version).
>>
>>
>> Thank you in advance for any help.
>>
>> Sean
>>
>> _______________________________________________
>> SoCoSA discuss mailing list
>> discuss at socosa.org
>> Your address: n.potterton at yahoo.co.uk
>> http://socosa.org/mailman/listinfo/discuss
>> http://socosa.org/mailman/options/discuss/n.potterton%40yahoo.co.uk
>>
>>
>>
>>
>>
>> _______________________________________________
>> SoCoSA discuss mailing list
>> discuss at socosa.org
>> Your address: seanvanco at gmail.com
>> http://socosa.org/mailman/listinfo/discuss
>> http://socosa.org/mailman/options/discuss/seanvanco%40gmail.com
>>
> 
> _______________________________________________
> SoCoSA discuss mailing list
> discuss at socosa.org
> Your address: kbenson at a-1networks.com
> http://socosa.org/mailman/listinfo/discuss
> http://socosa.org/mailman/options/discuss/kbenson%40a-1networks.com
>

More information about the discuss mailing list