Odi's astoundingly incomplete notes

New entries | Code

[qmail] TLS found no client cert in control/clientcert.pem

I encountered the above error message in the qmail logs while our remote message queue was slowly growing. We had just installed a Thawte server certificate for our mail gateway. We had put the RSA key plus the certificate into /var/qmail/control/servercert.pem and made a symlink clientcert.pem to that file.

After searching the web for a possible solution to the problem I found nothing helpful. So I dug up the C code that seemed to cause the problem: In qmail-remote.c there is a line:

if ((stat("control/clientcert.pem", &st) == 0) &&
         ((SSL_CTX_use_RSAPrivateKey_file(ctx, "control/clientcert.pem", SSL_FIL
ETYPE_PEM) <= 0) ||
         (SSL_CTX_use_certificate_chain_file(ctx, "control/clientcert.pem") <= 0
) ||
         (SSL_CTX_check_private_key(ctx) <= 0)))
        /* if there is a cert and it is bad, I fail
           if there is no cert, I leave it to the other side to complain */
        SSL_CTX_set_client_cert_cb(ctx, client_cert_cb);
This line seems to perform various checks on the client certificate and if one of those fails, sets a callback (client_cert_cb) that issues the error message. What caught my attention was the call to SSL_CTX_use_certificate_chain_file - mostly intuition. On Google I found documentation for this function at IBM. It says: The first certificate in the file must be the certificate for your application. The next certificate in the file must be the certificate for the certificate authority (CA) that signed the certificate for your application. Subsequent certificates, if any exist, are for the CAs in the signing sequence. Duh!

Apparently all the qmail docs on the web are not very useful. They all use self-signed certs and suggest just to put your private key plus the certificate into the servercert file and use a symlink to it as the clientcert. While that is true, the setup is a little bit more complicated when using a real certificate. It seems we must make a servercert.pem that contains all of

Maybe one can just include a clientca.pem file that contains a list of all root CA certs instead. I have not tried that. But the docs and the code suggest that. In our case I had to download the root certificate from Thawte. It's a ZIP file with all their root certs in several formats. You need the ServerCA as Base64 which is stored in a TXT file.

This is actually documented in the qmail TLS patch: Note: you can add the CA certificate and intermediate certs to the end of servercert.pem. But some patch walkthroughs don't do it correctly.

posted on 2005-05-23 12:16 UTC in Code | 0 comments | permalink