On Sun, Nov 25, 2012 at 07:12:00AM -0500, sl...@lavabit.com wrote:
> It turned out that my version of genrsa doesn't support the -nodes
> option. I removed it and it didn't raise any errors.
Actually that's universal, I forgot that while with req(1) encryption
of the private key is the default and "-nodes" turns it off, with
genrsa(1) no encryption is the default and "-aes128" or similar
turns it on.
> > When I run this and check the contents of the smtpd.pem file (did
> > you ever look at the file contents? Why not?) I see:
>
> > $ egrep '^-----' smtpd.pem
> > -----BEGIN PRIVATE KEY-----
> > -----END PRIVATE KEY-----
> > -----BEGIN CERTIFICATE-----
> > -----END CERTIFICATE-----
>
> It was:
>
> -----BEGIN CERTIFICATE-----
> -----END CERTIFICATE-----
> -----END PRIVATE KEY-----
So the output was overlapped, which is different than what I see
(but I only tested OpenSSL 1.0.x on BSD-like systems). Thus it is
safer to generate the key and cert in separate command invocations.
> I removed the -nodes option and it worked.
>
> [...]
> Verify return code: 18 (self signed certificate)
> ---
> 250 DSN
> read:errno=0
>
> How to debug the above output? Is it OK?
Nothing to debug, you're all set.
--
Viktor.
