Bug#426013: exim4-daemon-heavy Base64 decoding error

Thu Feb 28 13:58:36 UTC 2008

Hi!  Looking over the entire bug report, I'm confused by the path names.
Early in your bug report the files were:

MAIN_TLS_PRIVATEKEY = /etc/exim4/certificates/newserver_co_uk.pem
MAIN_TLS_CERTIFICATE = /etc/exim4/certificates/newserver_co_uk.crt

This means the /etc/exim4/certificates/newserver_co_uk.crt file should
contain something like:

Can you confirm that the files, respectively, have the proper headers?

If the files contain anything else but content like the above, that may
be the problem.

I don't understand what the .key file is.  Can you confirm that
'certtool -k /etc/exim4/certificates/newserver_co_uk.pem' works?

It is important to run the tests on the exact same files as the ones
used by exim.

Do you still get the exact same exim error message?  Note that if the
*.crt and *.pem filenames are mixed up, that would explain everything.

2007-05-13 22:02:17 TLS error on connection from myhost.net [217.147.xx.xx]
    (cert/key set up: cert=/etc/exim4/certificates/newserver_co_uk.crt
     key=/etc/exim4/certificates/newserver_co_uk.pem) : Base64 decoding error.

/Simon

Mark Adams <mark at campbell-lange.net> writes:

> Hi Simon,
>
> Apologies for the very late reply.
>
> certool works fine on the .crt file, but not on the .key - I get the
> Base64 decoding error.
>
> certtool: Import error: Base64 decoding error.
>
> The file appears to be in the correct format.
>
> Regards,
> Mark
>
>
> On Fri, Jan 04, 2008 at 12:22:51PM +0100, Simon Josefsson wrote:
>> Hi Mark!  I'm trying to help debug this problem.  Could you please post
>> the output from running:
>> 
>> certtool -i < /etc/exim4/certificates/newserver_co_uk.crt
>> 
>> Could you also check that
>> 
>> certtool -k < /etc/exim4/certificates/newserver_co_uk.pem
>> 
>> works?  Don't post the output, as that would compromise your private
>> key.
>> 
>> Do the files contain anything except one certificate and one private key
>> respectively?
>> 
>> The next step would be to install libgnutls-dbg and set a breakpoint on
>> gnutls_certificate_set_x509_key_file to see where it fails.
>> 
>> I'm trying to confirm that the problem only happens inside exim, and not
>> inside gnutls.  That seems strange, but the discussions in the bug
>> report earlier suggests this.
>> 
>> Fwiw, I believe this problem has nothing to do with a wildcard cert, the
>> code that fails reads:
>> 
>>   DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
>>     cert_expanded, key_expanded);
>>   rc = gnutls_certificate_set_x509_key_file(x509_cred, CS cert_expanded,
>>     CS key_expanded, GNUTLS_X509_FMT_PEM);
>>   if (rc < 0)
>>     {
>>     uschar *msg = string_sprintf("cert/key setup: cert=%s key=%s",
>>       cert_expanded, key_expanded);
>>     return tls_error(msg, host, rc);
>>     }
>> 
>> That function does not care whether the certificate is a wildcard one.
>> 
>> /Simon