Axigen does not read certificates until they are world readable [Linux, Debian Buster]

Kisuke · July 30, 2020, 2:05pm

Hello,

I just build a new axigen personal server and noticed strange behavior. Axigen does not want to read certificats/keys on service listener, until they are world readable.

I have a listener configured (for example SMTP with STARTTLS) in axigen.cfg:
listeners = (
{
address = 0.0.0.0:25
enable = yes
idleTimeout = 300
maxConnections = 200
maxIntervalConnections = 600
timeInterval = 60
peerMaxConnections = 20
peerMaxIntervalConnections = 600
peerTimeInterval = 60
allowRules = ()
denyRules = ()
sslEnable = no
sslControl = {
allowedVersions = (tls1 tls1_1 tls1_2 tls1_3)
certFile = “certs/mail.example.com/mail.example.com.combined.pem”
caFile = “certs/mail.example.com/mail.example.com.fullchain.cer”
dhParamFile = “none”
maxChainDepth = 4
cipherSuite = “!AECDH:!ADH:!aNULL:!eNULL:!RC4:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!EDH:!EXPORT”
preferServerCipherSuiteOrder = yes
useEphemeralKey = yes
requestClientAuth = no
}
listenerDomain = “”
}

Service is running as user axigen

Axigen is in groups: axigen, certs

Ownership is se like this:

ls -lah /var/opt/axigen/certs/mail.example.com/
drwxr-xr-x 1 letsencrypt certs 214 čec 30 13:36 .
drwxr-xr-x 1 letsencrypt certs 312 čec 29 14:01 …
-rw-r–r-- 1 letsencrypt certs 1,9K čec 30 13:36 mail.example.com.cer
-rw-r–r-- 1 letsencrypt certs 3,6K čec 30 13:36 mail.example.com.combined.pem
-rw-r–r-- 1 letsencrypt certs 3,6K čec 30 13:36 mail.example.com.fullchain.cer
-rwxr-x— 1 letsencrypt certs 1,7K čec 30 13:36 mail.example.com.key

But when cert or key (or both) files permissions are set to 640 instead 644, listener fails to start with error:
Jul 30 11:22:44 explorer Axigen[658]: ERROR: Cannot use SSL certificate file ‘/etc/pki/certs/mail.example.com/mail.example.com.combined.pem’, listener ‘0.0.0.0:25’ disabled
Jul 30 11:22:44 explorer Axigen[658]: ERROR: SMTP-IN: cannot open listener ‘0.0.0.0:25’ (Invalid certificate file)

2020-07-30 11:22:44 +0200 02 explorer WEBADMIN:00000011: SSL load certificate error:0200100D:system library:fopen:Permission denied
2020-07-30 11:22:44 +0200 02 explorer WEBADMIN:00000011: SSL load certificate error:20074002:BIO routines:file_ctrl:system lib
2020-07-30 11:22:44 +0200 02 explorer WEBADMIN:00000011: SSL load certificate error:140DC002:SSL routines:use_certificate_chain_file:system lib

When I change permissions to 640, it does not work.

Why is this happening? And how to fix this?

If I manually switch to user axigen, I can read certs/keys when they are set to 640. So is axigen using some other user to read certs and keys?

Mohammad · July 31, 2020, 12:19pm

Did you checked SeLinux?
set it on Permissive and check again.

Kisuke · July 31, 2020, 1:07pm

Hi,

there is no SELinux on Debian. At least not in default - and I did not installed it. Double checked that and it’s not here.
If is blocked by SELinux policies, I believe setting permissions to world readable would make no difference.

Jeroen · July 31, 2020, 8:16pm

Definitely strange.
My Axigen servers run on Debian Stretch and their certs are all set to 640, without any issues.
What does seem to be different, is that on my systems, owner and group is set to axigen.

root@mail:/var/opt/axigen/letsencrypt/mail.example.com# ls -la

drwx------ 2 axigen axigen 4096 Jul 31 22:15 .
drwx------ 3 axigen axigen 4096 Mar 11 17:02 …
-rw-r----- 1 axigen axigen 241 Mar 11 16:59 account_priv.key
-rw-r----- 1 axigen axigen 1647 Jul 18 21:25 cert_auth.pem
-rw-r----- 1 axigen axigen 5530 Jul 18 21:25 cert.pem
-rw-r----- 1 axigen axigen 3243 Mar 11 17:06 cert_priv.key

indreias · July 31, 2020, 8:49pm

Hello Kisuke,

We’ll check this issue and come back to you (we’ve get your point and will push for a fix).

BR,
Ioan