Hello,
I just build a new axigen personal server and noticed strange behavior. Axigen does not want to read certificats/keys on service listener, until they are world readable.
I have a listener configured (for example SMTP with STARTTLS) in axigen.cfg:
listeners = (
{
address = 0.0.0.0:25
enable = yes
idleTimeout = 300
maxConnections = 200
maxIntervalConnections = 600
timeInterval = 60
peerMaxConnections = 20
peerMaxIntervalConnections = 600
peerTimeInterval = 60
allowRules = ()
denyRules = ()
sslEnable = no
sslControl = {
allowedVersions = (tls1 tls1_1 tls1_2 tls1_3)
certFile = “certs/mail.example.com/mail.example.com.combined.pem”
caFile = “certs/mail.example.com/mail.example.com.fullchain.cer”
dhParamFile = “none”
maxChainDepth = 4
cipherSuite = “!AECDH:!ADH:!aNULL:!eNULL:!RC4:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!EDH:!EXPORT”
preferServerCipherSuiteOrder = yes
useEphemeralKey = yes
requestClientAuth = no
}
listenerDomain = “”
}
Service is running as user axigen
Axigen is in groups: axigen, certs
Ownership is se like this:
ls -lah /var/opt/axigen/certs/mail.example.com/
drwxr-xr-x 1 letsencrypt certs 214 čec 30 13:36 .
drwxr-xr-x 1 letsencrypt certs 312 čec 29 14:01 …
-rw-r–r-- 1 letsencrypt certs 1,9K čec 30 13:36 mail.example.com.cer
-rw-r–r-- 1 letsencrypt certs 3,6K čec 30 13:36 mail.example.com.combined.pem
-rw-r–r-- 1 letsencrypt certs 3,6K čec 30 13:36 mail.example.com.fullchain.cer
-rwxr-x— 1 letsencrypt certs 1,7K čec 30 13:36 mail.example.com.key
But when cert or key (or both) files permissions are set to 640 instead 644, listener fails to start with error:
Jul 30 11:22:44 explorer Axigen[658]: ERROR: Cannot use SSL certificate file ‘/etc/pki/certs/mail.example.com/mail.example.com.combined.pem’, listener ‘0.0.0.0:25’ disabled
Jul 30 11:22:44 explorer Axigen[658]: ERROR: SMTP-IN: cannot open listener ‘0.0.0.0:25’ (Invalid certificate file)
2020-07-30 11:22:44 +0200 02 explorer WEBADMIN:00000011: SSL load certificate error:0200100D:system library:fopen:Permission denied
2020-07-30 11:22:44 +0200 02 explorer WEBADMIN:00000011: SSL load certificate error:20074002:BIO routines:file_ctrl:system lib
2020-07-30 11:22:44 +0200 02 explorer WEBADMIN:00000011: SSL load certificate error:140DC002:SSL routines:use_certificate_chain_file:system lib
When I change permissions to 640, it does not work.
Why is this happening? And how to fix this?
If I manually switch to user axigen, I can read certs/keys when they are set to 640. So is axigen using some other user to read certs and keys?