• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 933
  • Last Modified:

renewing SSL cert for sendmail on red hat

I adopted mail server configured on red hat linux 6 from a previous admin. We recently received a renewal notice for our SSL cert and I want to make sure I renew the cert properly.

I can see that the current cert is located at
/etc/pki/tls/certs/sendmail.pem

Can I simply replace the old sendmail.pem with the new one and restart sendmail? Or is their anything else required? This is an older redhat enterprise 6 server.

define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/intermediate.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY',`/etc/pki/tls/certs/mail.key')
0
binovpd
Asked:
binovpd
  • 2
1 Solution
 
xtermCommented:
You will want to replace both the cert and the key as described by the following directives in your sendmail config:

ServerCertFile=
ServerKeyFile=

If you are using different keys for clients, then you will also want to locate/renew the files referenced by the settings ClientCertFile and ClientKeyFile.

But yes, all you have to do is replace your key and cert and then restart sendmail.  BTW, if it's RHEL 6, by definition is really not an "older" system - that is the latest stable version of RHEL at this time.
0
 
binovpdAuthor Commented:
Thanks for the help xterm I appreciate it.
0
 
binovpdAuthor Commented:
Had to add this bit of info because it stumped me for quite some time. I backed up all my cert files and put in the new, restarted sendmail. After that when I attempted to verify SSL was working over smtp I was getting fails.

Running openssl to test
openssl s_client -connect mail.server.com587 -starttls smtp

CONNECTED(00000003)
didn't found starttls in server response, try anyway...
140031671953224:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:699:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 315 bytes and written 147 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

Open in new window


This drove me crazy. I finally stumbled upon a blog mentioning the fact that the mail.key and sendmail.pem (SSL cert file) must have permissions of 600. Once I did that everything started working.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now