I'm try to run vault instance on aws and when i want to run command: vault operator init -key-shares=5 -key-threshold=3 -format json on Ansible role and i have error code :
fatal: [vault]: FAILED! => {"changed": true, "cmd": "vault operator init -key-shares=5 -key-threshold=3 -format json", "delta": "0:00:00.054870", "end": "2021-12-12 14:30:50.956504", "msg": "non-zero return code", "rc": 2, "start": "2021-12-12 14:30:50.901634", "stderr": "Error initializing: Put \"http://127.0.0.1:8200/v1/sys/init\": dial tcp 127.0.0.1:8200: connect: connection refused", "stderr_lines": ["Error initializing: Put \"http://127.0.0.1:8200/v1/sys/init\": dial tcp 127.0.0.1:8200: connect: connection refused"], "stdout": "", "stdout_lines": []}
When i'm on my vault server and when i do service vault status, i have this result :
vault.service - a tool for managing secrets
Loaded: loaded (/etc/systemd/system/vault.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sun 2021-12-12 14:19:47 UTC; 6min ago
Docs: https://vaultproject.io/docs/
Process: 5152 ExecStart=/usr/local/bin/vault server -config=/etc/vault.hcl (code=exited, status=213/SECUREBITS)
Main PID: 5152 (code=exited, status=213/SECUREBITS)
Dec 12 14:19:47 ip-172-31-37-194 systemd[1]: Started a tool for managing secrets.
Dec 12 14:19:47 ip-172-31-37-194 systemd[5152]: vault.service: Failed to set process secure bits: Operation not perm
Dec 12 14:19:47 ip-172-31-37-194 systemd[5152]: vault.service: Failed at step SECUREBITS spawning /usr/local/bin/vau
Dec 12 14:19:47 ip-172-31-37-194 systemd[1]: vault.service: Main process exited, code=exited, status=213/SECUREBITS
Dec 12 14:19:47 ip-172-31-37-194 systemd[1]: vault.service: Failed with result 'exit-code'.
There'is my 2 config files :
vault.hcl :
disable_mlock = true
listener "tcp" {
address = "http://{{ listener_address }}"
tls_disable = 1
}
backend "file" {
path = "/var/lib/vault"
}
my vault.service :
[Unit]
Description=a tool for managing secrets
Documentation=https://vaultproject.io/docs/
After=network.target
ConditionFileNotEmpty=/etc/vault.hcl
[Service]
User=vault
Group=vault
ExecStart=/usr/local/bin/vault server -config=/etc/vault.hcl
ExecReload=/usr/local/bin/kill --signal HUP $MAINPID
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
SecureBits=keep-caps
NoNewPrivileges=yes
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target
I didn't find anything yet who could unlock this situation, if someone have an idea.
I have this new client which only can talk TLSv1.2 which communicate with a old service which can only talk TLSv1. It is about to be upgraded. It is an internal system without access to internet.
To solve the problem I have placed a Nginx proxy in between.
client =TLS1.2=> Nginx =TLSv1=> oldservice
Even with proxy_ssl_verify=off I get this error:
==> /var/log/nginx/ngx-error.log <==
2021/09/15 14:48:26 [error] 13231#0: *3 peer closed connection in SSL handshake while SSL handshaking to upstream, client: 10.140.164.9, server: ngx.example.org, request: "GET /net/EXT/microservice.svc HTTP/1.1", upstream: "https://172.23.149.10:443/EXT/microservice.svc", host: "ngx.example.org"
If I on ngx.example.org run curl -v https://endp.example.org/EXT/microservice.svc I get this message:
* NSS error -8016 (SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)
* The certificate was signed using a signature algorithm that is disabled because it is not secure.
* Closing connection 0
curl: (60) The certificate was signed using a signature algorithm that is disabled because it is not secure.
If I run curl --insecure it is working and this is the behavior I want Nginx to do.
My Nginx configuration:
server {
listen 80;
listen 443 ssl;
server_name ngx.example.org;
access_log /var/log/nginx/ngx-access.log;
error_log /var/log/nginx/ngx-error.log;
root /var/www/nginx/ngx;
ssl_protocols TLSv1.2;
ssl_certificate /etc/pki/nginx/private/ngx.example.org.crt;
ssl_certificate_key /etc/pki/nginx/private/ngx.example.org.key;
ssl_verify_client off;
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#proxy_ssl_ciphers PSK-3DES-EDE-CBC-SHA;
location /net/ {
proxy_ssl_name endp.example.org;
proxy_ssl_server_name on;
proxy_ssl_verify off;
proxy_ssl_trusted_certificate /etc/pki/ca-trust/source/anchors/wsgw.root.ca.pem;
proxy_set_header Host endp.example.org;
proxy_set_header X_FORWARDED_PROTO https;
proxy_pass https://endp.example.org/;
}
}
Edit:
Here is the output from openssl without -tlsv1:
openssl s_client -connect endp.example.org:443
139801673865104:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1631880896
Timeout : 300 (sec)
Verify return code: 0 (ok)
Here is the output from openssl with -tlsv1:
openssl s_client -connect endp.example.org:443 -tls1
depth=0 CN = endp.example.org
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = endp.example.org
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=endp.example.org
i:/CN=endp.example.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICIzCCAYygAwIBAgIQZs9VZsp/iZRC2rL+oYTf0DANBgkqhkiG9w0BAQQFADAc
...lines deleted
OS+ih0tnXEzJKqtSC52Z+zAIFWdEipA=
-----END CERTIFICATE-----
subject=/CN=endp.example.org
issuer=/CN=endp.example.org
---
No client certificate CA names sent
---
SSL handshake has read 694 bytes and written 363 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: A01E00002B40C49CA7D7CD8EE73A9FB8DF44BF155300CDFCC98712657F697F88
Session-ID-ctx:
Master-Key: A90284275AA0067A47836A269592213E419F5286E0D30EA38F1094B50536F67913FCE7BA5D43025D1AC7FBDCA769FBE4
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1631862396
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Content of certificate:
$ openssl x509 -in endp.example.org.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
66:cf:55:66:ca:7f:89:94:42:da:b2:fe:a1:84:df:d0
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=endp.example.org
Validity
Not Before: Nov 9 11:08:50 2010 GMT
Not After : Dec 30 23:00:00 2030 GMT
Subject: CN=endp.example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:eb:ea:04:f0:53:87:26:b5:19:13:c6:a5:7b:27:
75:7e:f5:9a:84:74:59:d3:ec:0d:40:42:78:a4:c6:
1b:42:b2:50:19:3e:90:7b:20:73:f4:71:b8:3b:c3:
b3:dd:84:94:78:64:64:ac:5c:dc:a3:e4:8c:36:10:
32:ec:12:90:89:6c:e9:44:0e:fb:2e:84:0f:df:16:
c2:ae:b8:2c:d6:d0:73:b3:cf:4b:f8:56:91:e6:30:
c1:15:34:9f:70:6d:e1:e9:33:de:d6:9b:4d:2e:c8:
03:7b:eb:ed:6b:9c:8e:0b:80:a2:ef:29:5f:18:4e:
bf:e3:9a:81:e3:57:ae:c5:3f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
2.5.29.1:
0D....M..w....T..."...0.1.0...U....endp.example.org..f.Uf....B.......
Signature Algorithm: md5WithRSAEncryption
83:a7:c9:cf:a5:d3:91:78:65:d0:43:24:84:c5:77:62:be:ba:
52:db:7f:c6:ca:59:40:50:91:5f:48:fe:77:4a:94:26:36:23:
3a:82:6b:54:46:c1:a4:0d:bd:8f:96:bc:04:c8:54:f7:74:94:
83:3a:9e:71:61:8c:d4:a0:77:be:fc:50:e8:3f:12:a3:00:01:
9d:d6:06:a0:77:c2:84:24:96:03:c1:6a:05:57:bb:5e:d0:47:
e5:ff:a9:6c:a1:e1:cc:a4:d0:4b:b0:9d:1b:0b:d4:39:2f:a2:
87:4b:67:5c:4c:c9:2a:ab:52:0b:9d:99:fb:30:08:15:67:44:
8a:90
Not a solution but a work-around: Use Apache
ServerName ngx.example.org:443
SSLEngine on
SSLProxyEngine on
SSLProxyVerifyDepth 0
SSLProtocol TLSv1.2
SSLProxyProtocol TLSv1
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLCertificateFile /etc/pki/nginx/private/ngx.example.org.crt
SSLCertificateKeyFile /etc/pki/nginx/private/ngx.example.org.key
DocumentRoot /var/www/httpd/ngx
CustomLog /var/log/httpd/ngx/access.log combined
ErrorLog /var/log/httpd/ngx/error.log
ProxyPass "/net/" "https://endp.example.org/"
I followed the following guides on installing JFrog Artifactory OSS using RPM/Yum and using an external PostgreSQL database.
https://www.jfrog.com/confluence/display/JFROG/Installing+Artifactory
https://www.jfrog.com/confluence/display/RTF6X/PostgreSQL
SELinux is disabled and jfrog-artifactory-oss is installed from the JFrog repository [https://jfrog.bintray.com/artifactory-rpms].
Check the service:
[root#jfrog ~]# systemctl status artifactory -l
● artifactory.service - Artifactory service
Loaded: loaded (/usr/lib/systemd/system/artifactory.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2020-08-08 01:56:50 +08; 11min ago
Process: 9714 ExecStop=/opt/jfrog/artifactory/app/bin/artifactoryManage.sh stop (code=exited, status=0/SUCCESS)
Process: 10268 ExecStart=/opt/jfrog/artifactory/app/bin/artifactoryManage.sh start (code=exited, status=0/SUCCESS)
Main PID: 12388 (java)
CGroup: /system.slice/artifactory.service
‣ 12388 /opt/jfrog/artifactory/app/third-party/java/bin/java -Djava.util.logging.config.file=/opt/jfrog/artifactory/app/artifactory/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -server -Xss256k -XX:+UseG1GC -XX:OnOutOfMemoryError=kill -9 %p --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.lang.invoke=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.base/java.nio=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED -Dfile.encoding=UTF8 -Djruby.compile.invokedynamic=false -Djruby.bytecode.version=1.8 -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djava.security.egd=file:/dev/./urandom -Dartdist=rpm -Djf.product.home=/opt/jfrog/artifactory -Xms512m -Xmx3g -Djruby.bytecode.version=1.8 -Dartifactory.metadata.native.ui=true -Dignore.endorsed.dirs= -classpath /opt/jfrog/artifactory/app/artifactory/tomcat/bin/bootstrap.jar:/opt/jfrog/artifactory/app/artifactory/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/jfrog/artifactory/app/artifactory/tomcat -Dcatalina.home=/opt/jfrog/artifactory/app/artifactory/tomcat -Djava.io.tmpdir=/opt/jfrog/artifactory/var/work/artifactory/tomcat/temp org.apache.catalina.startup.Bootstrap start
Aug 08 01:56:50 jfrog artifactoryManage.sh[10268]: 2020-08-07T17:56:50.027Z [shell] [INFO ] [] [systemYamlHelper.sh:462 ] [main] - Resolved shared.logging.consoleLog.enabled (true) from /opt/jfrog/artifactory/var/etc/system.yaml
Aug 08 01:56:50 jfrog artifactoryManage.sh[10268]: JF_METADATA_ACCESSCLIENT_URL: http://localhost:8081/access
Aug 08 01:56:50 jfrog artifactoryManage.sh[10268]: metadata started. PID: 12988
Aug 08 01:56:50 jfrog su[13048]: (to artifactory) root on none
Aug 08 01:56:50 jfrog artifactoryManage.sh[10268]: Starting frontend...
Aug 08 01:56:50 jfrog artifactoryManage.sh[10268]: frontend not running. Proceed to start it up.
Aug 08 01:56:50 jfrog artifactoryManage.sh[10268]: 2020-08-07T17:56:50.317Z [shell] [INFO ] [] [systemYamlHelper.sh:462 ] [main] - Resolved shared.logging.consoleLog.enabled (true) from /opt/jfrog/artifactory/var/etc/system.yaml
Aug 08 01:56:50 jfrog artifactoryManage.sh[10268]: frontend started. PID: 13147
Aug 08 01:56:50 jfrog systemd[1]: Started Artifactory service.
Aug 08 01:56:51 jfrog artifactoryManage.sh[10268]: 2020-08-07T17:56:51.003Z [shell] [INFO ] [] [systemYamlHelper.sh:462 ] [main] - Resolved shared.logging.consoleLog.enabled (true) from /opt/jfrog/artifactory/var/etc/system.yaml
[root#jfrog ~]#
Test:
[root#jfrog ~]# curl -I http://localhost:8082/ui/
HTTP/1.1 503 Service Unavailable
Date: Fri, 07 Aug 2020 18:08:50 GMT
Content-Length: 19
Content-Type: text/plain; charset=utf-8
[root#jfrog ~]#
/opt/jfrog/artifactory/var/log/console.log shows the following errors:
[DEBUG] Resolved system configuration file path: /opt/jfrog/artifactory/var/etc/system.yaml
No ssl parameter found, falling back to sslmode=disable
2020-08-07T17:56:50.179Z [jfmd ] [INFO ] [1462831a45a25233] [database_bearer.go:84 ] [main ] - Connecting to (db config: {postgresql user='jfroguser' password='***' dbname=jfrogdb host=dbserver.example.com port= sslmode=disable}) [database]
2020-08-07T17:56:50.216Z [jfmd ] [ERROR] [1462831a45a25233] [database_bearer.go:68 ] [main ] - Could not initialize database (db config: {postgresql user='jfroguser' password='***' dbname=jfrogdb host=dbserver.example.com port= sslmode=disable}): error connecting to database
jfrog.com/metadata/services/common/db.(*databaseBearer).init
/src/jfrog.com/metadata/services/common/db/database_bearer.go:114
jfrog.com/metadata/services/common/db.NewDatabaseBearer
/src/jfrog.com/metadata/services/common/db/database_bearer.go:66
main.main
/src/jfrog.com/metadata/metadata.go:38
runtime.main
/src/runtime/proc.go:203
runtime.goexit
/src/runtime/asm_amd64.s:1373
goroutine 1 [running]:
runtime/debug.Stack(0x38, 0xc00015c040, 0xc00032c080)
/src/runtime/debug/stack.go:24 +0x9d
jfrog.com/jfrog-go-commons/pkg/log.(*standardLogger).Panicfc(0xc00043bda0, 0x166e420, 0xc000142750, 0x13eb133, 0x32, 0xc00032c080, 0x2, 0x2)
/src/jfrog.com/go-commons/pkg/log/standard_logger.go:42 +0x6a
jfrog.com/metadata/services/common/db.NewDatabaseBearer(0x166e420, 0xc000142750, 0x166f220, 0xc00007f770, 0x1673460, 0xc0000c97c0, 0x1666260, 0xc000011098, 0x16489c0, 0xc00043bd70, ...)
/src/jfrog.com/metadata/services/common/db/database_bearer.go:68 +0x2d4
main.main()
/src/jfrog.com/metadata/metadata.go:38 +0x5b7
[database]
panic: Could not initialize database (db config: {postgresql user='jfroguser' password='***' dbname=jfrogdb host=dbserver.example.com port= sslmode=disable}): error connecting to database
jfrog.com/metadata/services/common/db.(*databaseBearer).init
/src/jfrog.com/metadata/services/common/db/database_bearer.go:114
jfrog.com/metadata/services/common/db.NewDatabaseBearer
/src/jfrog.com/metadata/services/common/db/database_bearer.go:66
main.main
/src/jfrog.com/metadata/metadata.go:38
runtime.main
/src/runtime/proc.go:203
runtime.goexit
/src/runtime/asm_amd64.s:1373
goroutine 1 [running]:
runtime/debug.Stack(0x38, 0xc00015c040, 0xc00032c080)
/src/runtime/debug/stack.go:24 +0x9d
jfrog.com/jfrog-go-commons/pkg/log.(*standardLogger).Panicfc(0xc00043bda0, 0x166e420, 0xc000142750, 0x13eb133, 0x32, 0xc00032c080, 0x2, 0x2)
/src/jfrog.com/go-commons/pkg/log/standard_logger.go:42 +0x6a
jfrog.com/metadata/services/common/db.NewDatabaseBearer(0x166e420, 0xc000142750, 0x166f220, 0xc00007f770, 0x1673460, 0xc0000c97c0, 0x1666260, 0xc000011098, 0x16489c0, 0xc00043bd70, ...)
/src/jfrog.com/metadata/services/common/db/database_bearer.go:68 +0x2d4
main.main()
/src/jfrog.com/metadata/metadata.go:38 +0x5b7
goroutine 1 [running]:
github.com/rs/zerolog.(*Logger).Panic.func1(0xc000358500, 0x4bb)
/pkg/mod/github.com/rs/zerolog#v1.18.0/log.go:338 +0x4f
github.com/rs/zerolog.(*Event).msg(0xc0000be240, 0xc000358500, 0x4bb)
/pkg/mod/github.com/rs/zerolog#v1.18.0/event.go:146 +0x200
github.com/rs/zerolog.(*Event).Msgf(0xc0000be240, 0xc000961dc0, 0x35, 0xc00015c0c0, 0x3, 0x4)
/pkg/mod/github.com/rs/zerolog#v1.18.0/event.go:126 +0x83
jfrog.com/jfrog-go-commons/pkg/log.(*standardLogger).logMessage(0xc00043bda0, 0x166e420, 0xc000142750, 0xc0000be240, 0xc000961dc0, 0x35, 0xc00015c0c0, 0x3, 0x4)
/src/jfrog.com/go-commons/pkg/log/standard_logger.go:61 +0x197
jfrog.com/jfrog-go-commons/pkg/log.(*standardLogger).Panicfc(0xc00043bda0, 0x166e420, 0xc000142750, 0x13eb133, 0x32, 0xc00015c0c0, 0x3, 0x4)
/src/jfrog.com/go-commons/pkg/log/standard_logger.go:43 +0x1df
jfrog.com/metadata/services/common/db.NewDatabaseBearer(0x166e420, 0xc000142750, 0x166f220, 0xc00007f770, 0x1673460, 0xc0000c97c0, 0x1666260, 0xc000011098, 0x16489c0, 0xc00043bd70, ...)
/src/jfrog.com/metadata/services/common/db/database_bearer.go:68 +0x2d4
main.main()
/src/jfrog.com/metadata/metadata.go:38 +0x5b7
Any ideas what to check? The server is an up-to-date Centos 7 server. Login to the external database is also possible:
[root#jfrog ~]# psql -h dbserver.example.com -p 5432 -U jfrog
Password for user jfrog:
psql (11.8)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
jfrog=> SHOW server_version;
server_version
----------------
11.8
(1 row)
jfrog=> \q
[root#jfrog ~]#
I am configuring opendkim+postfix. It is working OK and sent messages are correctly signed but the incomming messages are all marked as dkim=fail reason="signature verification failed"
How con I debug this problem?
Return-Path: <sender#gmail.com>
Delivered-To: recipient#mydomain.com
Received: from localhost (mailserver [127.0.0.1])
by mydomain.com (Postfix) with SMTP id 4DDF93F966
for <recipient#mydomain.com>; Tue, 24 Oct 2017 13:56:43 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mydomain.com 4DDF93F966
Authentication-Results: mydomain.com;
dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=#gmail.com header.b="jmdDmXQb"
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.85.215.43; helo=mail-lf0-f43.google.com; envelope-from=sender#gmail.com; receiver=recipient#mydomain.com
DMARC-Filter: OpenDMARC Filter v1.3.2 mydomain.com 2DBE03F963
Authentication-Results: mail.mydomain.com; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: mail.mydomain.com; spf=pass smtp.mailfrom=sender#gmail.com
The syslog reports this which looks OK
Oct 24 14:08:39 mailz opendkim[3325]: 4A29F3F938: [209.85.215.45] [209.85.215.45] not internal
Oct 24 14:08:39 mailz opendkim[3325]: 4A29F3F938: not authenticated
Oct 24 14:08:39 mailz opendkim[3325]: 4A29F3F938: DKIM verification successful
But later it adds:
Oct 24 14:08:43 mailzener postfix/cleanup[3194]: 6CC243F95E: message-id=<CAMXuvOM+jKLkE=0FrQ+cSqFesmPQujpHoVsfH9G_URg9uYtm1g#mail.gmail.com>
Oct 24 14:08:43 mailzener opendkim[3325]: 6CC243F95E: no signing table match for 'sender#gmail.com'
Oct 24 14:08:43 mailzener opendkim[3325]: 6CC243F95E: bad signature data
My opendkim configuration file is this:
AutoRestart Yes
AutoRestartRate 10/1h
LogWhy Yes
Syslog Yes
SyslogSuccess Yes
Mode sv
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
#InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
SignatureAlgorithm rsa-sha256
Socket inet:8891#localhost
PidFile /var/run/opendkim/opendkim.pid
UMask 022
UserID opendkim:opendkim
TemporaryDirectory /var/tmp
OversignHeaders From
LogWhy Yes
X-Header yes
MilterDebug 9
ResolverTracing Yes
As you can see from the Queue ID 4A29F3F938 vs 6CC243F95E, these are two different mails.
4A29F3F938 is incoming and is verifying OK. 6CC243F95E is outgoing, and I guess opendkim tries to sign the mail. You need to elaborate on your processing of the mail in the lines inbetween :)
i compile install nginx 1.4.4 and openssl 1.0.1h,after install i generate .pem and .key file and put them under conf directory,when i want to start it shows something was wrong.
nginx$ sbin/nginx
nginx: [emerg] PEM_read_bio_X509("/home/work/nginx/conf/33iq.crt") failed (SSL:)
it only can see PEM_read_bio_X509 failed but no ssl error info,how to find out what is wrong with it?
openssl x509 -in /home/work/nginx/conf/33iq.crt -inform PEM -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 9271295828916739212 (0x80aa426f5a249c8c)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=UN, ST=CD, L=sodaf, O=ser, OU=fas, CN=ea/emailAddress=abc#baidu.com
Validity
Not Before: Jul 14 10:12:12 2014 GMT
Not After : Jul 14 10:12:12 2015 GMT
Subject: C=UN, ST=CD, L=sodaf, O=ser, OU=fas, CN=ea/emailAddress=abc#163.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
...
eb:ce:5a:36:ae:ca:e8:26:2d
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
...
76:68