binovpd
asked on
renewing SSL cert for sendmail on red hat
I adopted mail server configured on red hat linux 6 from a previous admin. We recently received a renewal notice for our SSL cert and I want to make sure I renew the cert properly.
I can see that the current cert is located at
/etc/pki/tls/certs/sendmai l.pem
Can I simply replace the old sendmail.pem with the new one and restart sendmail? Or is their anything else required? This is an older redhat enterprise 6 server.
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/interm ediate.crt ')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendma il.pem')dn l
define(`confSERVER_KEY',`/ etc/pki/tl s/certs/ma il.key')
I can see that the current cert is located at
/etc/pki/tls/certs/sendmai
Can I simply replace the old sendmail.pem with the new one and restart sendmail? Or is their anything else required? This is an older redhat enterprise 6 server.
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/interm
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendma
define(`confSERVER_KEY',`/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Had to add this bit of info because it stumped me for quite some time. I backed up all my cert files and put in the new, restarted sendmail. After that when I attempted to verify SSL was working over smtp I was getting fails.
Running openssl to test
openssl s_client -connect mail.server.com587 -starttls smtp
This drove me crazy. I finally stumbled upon a blog mentioning the fact that the mail.key and sendmail.pem (SSL cert file) must have permissions of 600. Once I did that everything started working.
Running openssl to test
openssl s_client -connect mail.server.com587 -starttls smtp
CONNECTED(00000003)
didn't found starttls in server response, try anyway...
140031671953224:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:699:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 315 bytes and written 147 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
This drove me crazy. I finally stumbled upon a blog mentioning the fact that the mail.key and sendmail.pem (SSL cert file) must have permissions of 600. Once I did that everything started working.
ASKER