Odi's astoundingly incomplete notes
New entries | Code[qmail] TLS found no client cert in control/clientcert.pem
I encountered the above error message in the qmail logs while our remote message queue was slowly growing. We had just installed a Thawte server certificate for our mail gateway. We had put the RSA key plus the certificate into /var/qmail/control/servercert.pem
and made a symlink clientcert.pem
to that file.
After searching the web for a possible solution to the problem I found nothing helpful. So I dug up the C code that seemed to cause the problem: In qmail-remote.c
there is a line:
if ((stat("control/clientcert.pem", &st) == 0) && ((SSL_CTX_use_RSAPrivateKey_file(ctx, "control/clientcert.pem", SSL_FIL ETYPE_PEM) <= 0) || (SSL_CTX_use_certificate_chain_file(ctx, "control/clientcert.pem") <= 0 ) || (SSL_CTX_check_private_key(ctx) <= 0))) /* if there is a cert and it is bad, I fail if there is no cert, I leave it to the other side to complain */ SSL_CTX_set_client_cert_cb(ctx, client_cert_cb);This line seems to perform various checks on the client certificate and if one of those fails, sets a callback (
client_cert_cb
) that issues the error message.
What caught my attention was the call to SSL_CTX_use_certificate_chain_file
- mostly intuition. On Google I found documentation for this function at IBM. It says: The first certificate in the file must be the certificate for your application. The next certificate in the file must be the certificate for the certificate authority (CA) that signed the certificate for your application. Subsequent certificates, if any exist, are for the CAs in the signing sequence. Duh!
Apparently all the qmail docs on the web are not very useful. They all use self-signed certs and suggest just to put your private key plus the certificate into the servercert file and use a symlink to it as the clientcert. While that is true, the setup is a little bit more complicated when using a real certificate. It seems we must make a servercert.pem
that contains all of
- The private key
- The certificate
- All the certificates including the root certificate of all the signers.
This is actually documented in the qmail TLS patch: Note: you can add the CA certificate and intermediate certs to the end of servercert.pem. But some patch walkthroughs don't do it correctly.