Postfix 无法从文件 /etc/ssl/private/server.key 中获取 RSA 私钥:禁用 TLS 支持
[英]Postfix cannot get RSA private key from file /etc/ssl/private/server.key: disabling TLS support
问题描述
我安装了一个 postfix 邮件服务器。 但是当我使用thunderbird登录用户时是错误的。 这是配置。
后配置 -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 20000000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 200000000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = stack.daolicloud.com
myhostname = mail.stack.daolicloud.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = $mydestination
relayhost =
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/cacert.pem
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
鸽舍-n:
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-431.1.2.0.1.el6.x86_64 x86_64 CentOS release 6.4 (Final)
auth_mechanisms = plain login
mail_location = maildir:~/Maildir
mail_privileged_group = mail
mbox_write_locks = fcntl
passdb {
driver = pam
}
protocols = imap pop3
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
}
}
service imap-login {
inet_listener imap {
port = 143
ssl = yes
}
inet_listener imaps {
port = 993
ssl = yes
}
}
ssl_cert = </etc/ssl/certs/cacert.pem
ssl_key = </etc/ssl/private/server.key
userdb {
driver = passwd
}
这是日志:
dovecot: imap-login: Fatal: Can't load private ssl_key: Key is for a different cert than ssl_cert
dovecot: master: Error: service(imap-login): command startup failed, throttling
dovecot: pop3-login: Fatal: Can't load private ssl_key: Key is for a different cert than ssl_cert
dovecot: master: Error: service(pop3-login): command startup failed, throttling
postfix/smtpd[13891]: warning: cannot get RSA private key from file /etc/ssl/private/server.key: disabling TLS support
postfix/smtpd[13891]: warning: TLS library problem: 13891:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:331:
postfix/smtpd[13893]: warning: cannot get RSA private key from file /etc/ssl/private/server.key: disabling TLS support
postfix/smtpd[13893]: warning: TLS library problem: 13893:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:331:
postfix/smtpd[13894]: warning: cannot get RSA private key from file /etc/ssl/private/server.key: disabling TLS support
postfix/smtpd[13894]: warning: TLS library problem: 13894:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:331:
postfix/smtpd[13895]: warning: cannot get RSA private key from file /etc/ssl/private/server.key: disabling TLS support
postfix/smtpd[13895]: warning: TLS library problem: 13895:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:331:
我认为pem和key文件是错误的。 所以我再次生成这个文件,然后是这个链接。 但它仍然出现同样的错误。 有任何想法吗? 有人可以帮助我吗? 非常感谢!
3 个解决方案
解决方案1
12 已采纳 2014-06-28 22:22:37
为了检查证书和密钥是否匹配使用这个,
(openssl x509 -noout -modulus -in /etc/ssl/certs/cacert.pem | openssl md5 ;\
openssl rsa -noout -modulus -in /etc/ssl/private/server.key | openssl md5) | uniq
如果您获得多个标识符,则您的密钥和证书不匹配。
只需创建一个新的;
openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/cacert.pem -keyout /etc/ssl/private/server.key
干杯!
解决方案2
0 2017-11-06 19:47:10
基于@Ark74 某人博客的回答,在 ubuntu 上,snakeoil 证书的检查命令是:
(openssl x509 -noout -modulus -in /etc/ssl/certs/ssl-cert-snakeoil.pem | openssl md5 ; openssl rsa -noout -modulus -in /etc/ssl/private/ssl-cert-snakeoil.key | openssl md5) | uniq
如果得到两个哈希值,则需要重新生成证书:
make-ssl-cert generate-default-snakeoil --force-overwrite
解决方案3
0 2020-08-13 03:03:12
对于在运行 SELinux 的 Centos 8、Postfix 3.3.1 上看到此错误的任何人,我尝试了上述所有方法,并且我知道我的证书和链是正确的,因为 apache 正在正确加载它们。
我在原始错误下看到以下错误:
warning: TLS library problem: error:0200100D:system library:fopen:Permission denied
结果证明证书必须在:
/etc/ssl/certs
目录 - 即使我对它们有正确的 chcon。 认为这可能对其他人有所帮助,因为这非常令人沮丧。 我不确定为什么 Postfix 无法从 httpd 目录加载它们。
无法使用 openssl 验证公共证书的模块(无法验证 rsa 公钥来自私钥)
[英]Unable to verify a public cert's modules with openssl (Unable to verify rsa public key came from a private key)
从服务器到另一个没有私钥密码短语的 SSH 连接
[英]SSH Connection from server to another one without private key passphrase
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.