Odi's astoundingly incomplete notesNew entries | Code
[qmail] TLS found no client cert in control/clientcert.pem
I encountered the above error message in the qmail logs while our remote message queue was slowly growing. We had just installed a Thawte server certificate for our mail gateway. We had put the RSA key plus the certificate into
/var/qmail/control/servercert.pem and made a symlink
clientcert.pem to that file.
After searching the web for a possible solution to the problem I found nothing helpful. So I dug up the C code that seemed to cause the problem: In
qmail-remote.c there is a line:
if ((stat("control/clientcert.pem", &st) == 0) && ((SSL_CTX_use_RSAPrivateKey_file(ctx, "control/clientcert.pem", SSL_FIL ETYPE_PEM) <= 0) || (SSL_CTX_use_certificate_chain_file(ctx, "control/clientcert.pem") <= 0 ) || (SSL_CTX_check_private_key(ctx) <= 0))) /* if there is a cert and it is bad, I fail if there is no cert, I leave it to the other side to complain */ SSL_CTX_set_client_cert_cb(ctx, client_cert_cb);This line seems to perform various checks on the client certificate and if one of those fails, sets a callback (
client_cert_cb) that issues the error message. What caught my attention was the call to
SSL_CTX_use_certificate_chain_file- mostly intuition. On Google I found documentation for this function at IBM. It says: The first certificate in the file must be the certificate for your application. The next certificate in the file must be the certificate for the certificate authority (CA) that signed the certificate for your application. Subsequent certificates, if any exist, are for the CAs in the signing sequence. Duh!
Apparently all the qmail docs on the web are not very useful. They all use self-signed certs and suggest just to put your private key plus the certificate into the servercert file and use a symlink to it as the clientcert. While that is true, the setup is a little bit more complicated when using a real certificate. It seems we must make a
servercert.pem that contains all of
- The private key
- The certificate
- All the certificates including the root certificate of all the signers.