Hello,
> Either you botched the recipe, or the use of "-keyout stdout" is
> not a portable way of getting OpenSSL to output the key and
> certificate back-to-back.
It turned out that my version of genrsa doesn't support the -nodes
option. I removed it and it didn't raise any errors.
> When I run this and check the contents of the smtpd.pem file (did
> you ever look at the file contents? Why not?) I see:
> $ egrep '^-----' smtpd.pem
> -----BEGIN PRIVATE KEY-----
> -----END PRIVATE KEY-----
> -----BEGIN CERTIFICATE-----
> -----END CERTIFICATE-----
It was:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----END PRIVATE KEY-----
I removed the -nodes option and it worked.
$ openssl s_client -starttls smtp -connect mail.example.com:25
CONNECTED(00000003)
depth=0 /CN=mail.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=mail.example.com
verify return:1
---
Certificate chain
0 s:/CN=mail.example.com
i:/CN=mail.example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=mail.example.com
issuer=/CN=mail.example.com
---
No client certificate CA names sent
---
...
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1280 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: ...
Session-ID-ctx:
Master-Key: ...
Key-Arg : None
...
Verify return code: 18 (self signed certificate)
---
250 DSN
read:errno=0
How to debug the above output? Is it OK?
Thank you
