Multiple certificates in Harka

[saras-r]

Hi,

I am trying to find how to use multiple certificates in haraka.
The requirement is that, for each client , the certificate and key needs to be different.
Requests from client1 will use key1 and pem1
Requests from client2 will use key2 and pem2
Is there a way to achieve this?
How can we configure this in tls.ini?

Thanks in advance

[msimerson]

Is there a way to achieve this?

I don't know. I wrote the multi-TLS certificate code in Haraka. This is not a use case I had considered.

How can we configure this in tls.ini?

🤷🏼‍♂️

[saras-r]

Hi Matt, Thanks for the reply. Is it possible to configure multiple keys and certs? I tried this in tls.ini- key[]=/etc/ssl/private/key1.pem cert[]=/etc/ssl/private/key1.crt key[]=/etc/ssl/private/key2.pem cert[]=/etc/ssl/private/key2.crt But on haraka startup I get the error : certificate routines:X509_check_private_key:key values mismatch" Please let me if i am missing anything. Thanks and regards, Saraswathi

…

On Tue, Dec 12, 2023 at 12:36 AM Matt Simerson ***@***.***> wrote: Is there a way to achieve this? I don't know. I wrote the multi-TLS certificate code in Haraka. This is not a use case I had considered. How can we configure this in tls.ini? 🤷🏼‍♂️ — Reply to this email directly, view it on GitHub <#3255 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BETGJ6U3HDS2R6EAZCA7MO3YI5KRXAVCNFSM6AAAAABAPTKHGWVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TQMRTGM4TM> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[msimerson]

I've never set up my TLS that way. I create a config/tls directory and drop all my certs in there. From the docs, it appears the cert needs to be the certificate chain.

[saras-r]

Hi Matt, I have a couple of .crt and .pem files. can i just place the .pem files in the config/tls directory? Also what needs to be mentioned in tls.ini in this case? thanks, Saraswathi

…

On Wed, Dec 13, 2023 at 10:38 AM Matt Simerson ***@***.***> wrote: I've never set up my TLS that way. I create a config/tls directory and drop all my certs in there. From the docs <https://github.com/haraka/Haraka/blob/master/docs/plugins/tls.md> it appears the cert needs to be the certificate chain. — Reply to this email directly, view it on GitHub <#3255 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BETGJ6XY2DH7K7ZGEOSQO2DYJEZ53AVCNFSM6AAAAABAPTKHGWVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TQMZYGA2DI> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[msimerson]

The docs tell you how to format the certificates for installation in the tls directory.

[saras-r]

Hi, I have tried all the steps mentioned in the docs, still i get this error: 'Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch" I have compared the .pem files with .cert files and they match. When I declare a single private key and cert file like this in tls.ini, there is no error: key[]=key1.pem cert[]=cert1.crt however if i add more keys and certs to the above arrays I get the error. key[]=key1.pem cert[]=cert1.crt key[]=key2.pem cert[]=cert2.crt Could you please suggest what might be the issue here? thanks Saraswathi

…

On Wed, Dec 13, 2023 at 10:17 PM Matt Simerson ***@***.***> wrote: The docs <https://github.com/haraka/Haraka/blob/master/docs/plugins/tls.md> tell you how to format the certificates for installation in the tls directory. — Reply to this email directly, view it on GitHub <#3255 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BETGJ6RTK22GVVK677WIBG3YJHLYPAVCNFSM6AAAAABAPTKHGWVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TQNBUHAZDQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[msimerson]

Help us help you. Show us EXACTLY the commands you use to generate your certs, how you created the PEM file, what you did with it. Be specific. Only then do we stand a chance of figuring out what your issue(s) is. Also, include your node.js and openssl versions.

[saras-r]

Hi Matt,
We use the following command to create the key and the csr:
openssl req -new -newkey rsa:2048 -nodes -keyout xxxx.key -out xxxx.csr

Open ssl version: LibreSSL 3.3.6
Nodejs version: 10.14.1

I checked that the modulus of the private key and the certificate matches for each of the key and cert pair
openssl x509 -noout -modulus -in xxxx.crt | openssl md5
openssl rsa -noout -modulus -in xxxx.pem | openssl md5