Permission of server private key file

N

neo-hippie

Verified User
Joined
May 27, 2014
Messages
74
Location
The Netherlands (Holland)
I have an issue with my server private key file.
Somehow Exim requires it to be at least readable by group / others so i have it at 644.
But there is a script running somewhere witch changes it randomly back to 600.
And then my Exim stops working (client can't sent email and gets a certificate error).

So my question is twofold, either how to stop a script changing permission.
Or how to make Exim compliant with a non readable private key file.

fyi. i have now manually changed it to 600 (to see the certificate error), and it now works fine.
but i have to randomly change it to 644 to get it working again.
edit: i have reloaded exim and the error occurs.
TLS error on connection from [xx.xx.xx.xx] (SSL_CTX_use_PrivateKey_file file=/etc/ssl/server.key): error:8000000D:system library:: Permission denied
 
Last edited:
Can you explain how you got a server.key in the /etc/ssl directory?
Did you adjust something manually (customized something) or which version Directadmin and/or Exim and exim.conf are you using and OS?

Just out of curiosity, because if I start searching for a "server.key" file, I can use any server I wan't but it will not be in the /etc/ssl directory.
Mine are here:
/etc/csf/ui/server.key
/etc/httpd/conf/ssl.key/server.key
/etc/httpd/conf/ssl.key/server.key.backup
 
Richard G said:
Can you explain how you got a server.key in the /etc/ssl directory?
Did you adjust something manually (customized something) or which version Directadmin and/or Exim and exim.conf are you using and OS?

Just out of curiosity, because if I start searching for a "server.key" file, I can use any server I wan't but it will not be in the /etc/ssl directory.
Mine are here:
/etc/csf/ui/server.key
/etc/httpd/conf/ssl.key/server.key
/etc/httpd/conf/ssl.key/server.key.backup
Click to expand...
Thanks for you're reply Richard,

I have been running Directadmin for years now and once every 2 years i need to update my main domain certificate.
this is the only paid certificate i have any other are automatic through letsencrypt. yet none are on the Directadmin server.
This server i use strictly for mail (Dovecot and Exim, with user management through Directadmin).

The name server.key i had modified for privacy reasons, so don't take it literally.
I use Directadmin version: 1.666, Exim version: 4.97.1 #2 (SpamBlockerTechnology* powered exim.conf, Version 4.5.43)
All running on an Ubuntu 22.04.4 OS (fully up-to-date)

I have edited the exim.variables.conf.custom (and dovecot.conf and directadmin.conf) to point to the "/etc/ssl/server.key" file and an "/etc/ssl/server.exim.pem" public file.
In the same directory i also host my DH.pem file and Dkim public key. (not relevant to the question)
As i said this server.key file is used for the domain Directadmin runs on, and for Dovecot and Exim as well.

Yet only Exim has an issue with it (i notice it if i try and sent a message, but i believe it also apply if Exim receives a message from other mail servers)
i haven't had any problems with this setup for several years now, it's only after the last certificate change i noticed it (April of this year).
 
it could relate to this feature.

Version 1.662 | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

which copies TLS certificate for server host name from DirectAdmin service (in the /usr/local/directadmin/conf) to all the other services like Exim, Dovecot, Apache, Nginx, LiteSpeed, OpenLiteSpeed, ProFTPD and PureFTPD.

In previous releases, this automatic certificate synchronization was only performed by the letsencrypt.sh script after certificate renewal.
Click to expand...

So it might fix permission when renews the certs.
 
thanks for the insight, but i don't think this is the answer.
i did an search and the new function 'sync_server_cert' is only called from letsencrypt.sh.
and as i said i don't use letsencrypt on this server.
i manually have changed all the config files to point to the server.key file.
so i don't think Directadmin needs to copy files for other services to work either.
 
I don't thinks so, because it said...
1726826989077.png

"da build rewrite_confs", will copy certs from Directadmin to other services.
 
okay let me change the question to point it in another direction.
cos what and why the permission is changed doesn't matter that much.

Why has Exim trouble reading a private key with permission root:root 600 (or preferably 400).
as this is the standard for private key's. and non of the other programs have an issue with that.
 
You must log in or register to reply here.
Back
Top