Bug#426013: exim4-daemon-heavy Base64 decoding error

[Simon Josefsson]

Hi Mark!  I'm trying to help debug this problem.  Could you please post
the output from running:

certtool -i < /etc/exim4/certificates/newserver_co_uk.crt

Could you also check that

certtool -k < /etc/exim4/certificates/newserver_co_uk.pem

works?  Don't post the output, as that would compromise your private
key.

Do the files contain anything except one certificate and one private key
respectively?

The next step would be to install libgnutls-dbg and set a breakpoint on
gnutls_certificate_set_x509_key_file to see where it fails.

I'm trying to confirm that the problem only happens inside exim, and not
inside gnutls.  That seems strange, but the discussions in the bug
report earlier suggests this.

Fwiw, I believe this problem has nothing to do with a wildcard cert, the
code that fails reads:

  DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
    cert_expanded, key_expanded);
  rc = gnutls_certificate_set_x509_key_file(x509_cred, CS cert_expanded,
    CS key_expanded, GNUTLS_X509_FMT_PEM);
  if (rc < 0)
    {
    uschar *msg = string_sprintf("cert/key setup: cert=%s key=%s",
      cert_expanded, key_expanded);
    return tls_error(msg, host, rc);
    }

That function does not care whether the certificate is a wildcard one.

/Simon