我通过将这些字符串添加到来配置 SSL 01_exim4-config_listmacrosdefs。我使用拆分配置
MAIN_TLS_ENABLE = yes
MAIN_TLS_CERTKEY = /etc/exim4/example.com.crt
MAIN_TLS_PRIVATEKEY = /etc/exim4/example.com.key
因此重新启动后,连接到端口 465,输入EHLO并STARTTLS得到以下信息:454 TLS currently unavailable
在日志中我有这个:
13:29:36 10872 SMTP<< STARTTLS
13:29:36 10872 initialising GnuTLS as a server
13:29:36 10872 GnuTLS global init required.
13:29:36 10872 initialising GnuTLS server session
13:29:36 10872 Expanding various TLS configuration options for session credentials.
13:29:36 10872 certificate file = /etc/exim4/example.com.crt
13:29:36 10872 key file = /etc/exim4/example.com.crt
13:29:36 10872 LOG: MAIN
13:29:36 10872 TLS error on connection from (192.168.1.111) [91.210.44.50] (cert/key setup: cert=/etc/exim4/example.com.crt key=/etc/exim4/example.com.crt): Error in parsing.
为什么 exim 对证书和密钥使用同一个文件?如何解决?
答案1
我应该用MAIN_TLS_CERTIFICATE而不是MAIN_TLS_CERTKEY。
答案2
@chicks 如果 serverfault 允许的话我会投赞成票。
仍然在困扰着人们(例如,两年多后的我)。
从技术上讲,评论说conf.d/main/03_exim4-config_tlsoptions如果你有证书和密钥相同的文件,然后使用MAIN_TLS_CERTKEY。这是不好的做法,但允许。
# MAIN_TLS_CERTIFICATE - path to certificate file,
# CONFDIR/exim.crt if unset
# MAIN_TLS_PRIVATEKEY - path to private key file
# CONFDIR/exim.key if unset
# You can also configure exim to look for certificate and key in the
# same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
# precedence over all other settings regarding certificate and key file.
我略过了这一点,直接看ifdef声明。其中第一条是:
.ifdef MAIN_TLS_CERTKEY
我完全错过了这个.else部分:
.ifdef MAIN_TLS_CERTKEY
tls_certificate = MAIN_TLS_CERTKEY
.else
.ifndef MAIN_TLS_CERTIFICATE
MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
.endif
tls_certificate = MAIN_TLS_CERTIFICATE
TL;DR:是的,设置MAIN_TLS_CERTIFICATE而不是MAIN_TLS_CERTKEY。