Dovecot dsync 'ssl_client_ca'
Thierry
lenaigst at maelenn.org
Tue Feb 7 05:21:49 UTC 2017
Bonjour Markus,
> - Have you checked that port 12345 as specified below is open/forwarded
> and actually /used/ by dovecot (e.g., use "netstat -tulpn|grep dovecot")?
Yes of course:
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 22025/dovecot
tcp6 0 0 :::12345 :::* LISTEN 22025/dovecot
> - Did you retrace your steps and have you verified that synchronisation
> works with ssl disabled?
This dovecot is working well with my email client and web mail
interface, I would prefer not to start playing with this config file
...
> - Did you verify your certificate files (e.g., "openssl verify -verbose
> -CAfile /etc/ssl/certs/GandiCA2.pem /etc/ssl/certs/key.crt")?
yes: openssl verify -verbose -CAfile /etc/ssl/certs/GandiCA2.pem /etc/ssl/certs/key.crt
/etc/ssl/certs/key.crt: OK
> Personally, I prefer to use a single, specialised tool to manage
> certificates/encryption (which in my case is stunnel); all other
> programs are set up using (link-)local ip addresses only. If everything
> but encryption works with your setup, this might be a possible
> "workaround". (Apart from that, stunnel debug mode is very detailed and
> can help you to rule out problems with the certificates/connections
> between two nodes.)
> And once the latter works but the dovecot setup below still does not, it
> would also point to a problem with certificate handling by dovecot
> (could be library related).
This morning logs:
Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
> KR, Markus
Thx
> Am 06.02.2017 um 07:36 schrieb Thierry:
>> Hi Aki,
>>
>> I do not have any error message but (on both server):
>>
>> doveadm replicator status '*'
>> doveadm(root): Fatal: net_connect_unix(/var/run/dovecot/replicator-doveadm) failed: Connection refused
>>
>> Thx
>>
>>
>> Le vendredi 3 février 2017 à 17:09:52, vous écriviez :
>>
>>> Please keep responses in list. rm -f
>>> /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.
>>
>>> On 2017-02-03 17:00, Thierry wrote:
>>>> Hi,
>>>>
>>>> I have removed the '<' :
>>>>
>>>> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem
>>>>
>>>> But now:
>>>>
>>>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
>>>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>>>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
>>>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>>>>
>>>> Any idea ?
>>>>
>>>> Thx
>>>>
>>>>> Yes. The ssl_client_ca_file is not actually expecting <, just file name.
>>>>> Aki
>>>>> On 2017-02-03 15:13, Thierry wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I have made change:
>>>>>>
>>>>>> ssl_protocols = !SSLv2 !SSLv3
>>>>>> ssl = required
>>>>>> verbose_ssl = no
>>>>>> ssl_key = </etc/ssl/private/private.key
>>>>>> ssl_cert = </etc/ssl/certs/key.crt
>>>>>> ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem
>>>>>>
>>>>>>
>>>>>> # Create a listener for doveadm-server
>>>>>> service doveadm {
>>>>>> user = vmail
>>>>>> inet_listener {
>>>>>> port = 12345
>>>>>> ssl= yes
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use doveadm_port
>>>>>>
>>>>>> And now:
>>>>>>
>>>>>> Feb 03 14:11:16 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long
>>>>>> Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
>>>>>> Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>>>>>>
>>>>>> Thx for your support
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Le vendredi 3 février 2017 à 11:34:43, vous écriviez :
>>>>>>
>>>>>>> Hello,
>>>>>>> On 02/03/2017 08:51 AM, Thierry wrote:
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> Still working with my dsync pb.
>>>>>>>> I have done a clone (vmware) of my email server.
>>>>>>>> Today I have two strictly identical emails servers (server1
>>>>>>>> (main) and server2 (bck) (except IP, hostname and mail_replica).
>>>>>>>>
>>>>>>>> The ssl config on my both server:
>>>>>>>>
>>>>>>>> ssl_protocols = !SSLv2 !SSLv3
>>>>>>>> ssl = required
>>>>>>>> verbose_ssl = no
>>>>>>>> ssl_key = </etc/ssl/private/private.key
>>>>>>>> ssl_cert = </etc/ssl/certs/key.crt
>>>>>>>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem
>>>>>>> I think it should be ssl_client_ca_file =
>>>>>>> </etc/ssl/certs/GandiStandardSSLCA2.pem for you.
>>>>>>>> This config is working for my email client and my email web
>>>>>>>> interface ...
>>>>>>>>
>>>>>>>> Are they on the right order ?
>>>>>>>>
>>>>>>>> mail_replica = tcps:server1 at domain.ltd and tcps:server2 at domain.ltd
>>>>>>>>
>>>>>>>> There is trafic on my iptables rules on my both servers:
>>>>>>>>
>>>>>>>> 60 3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> My error message from server1 (main server):
>>>>>>>>
>>>>>>>> Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>>>> Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>>>> Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>>>> Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>>>>
>>>>>>>> No logs from server2
>>>>>>>>
>>>>>>>> Any ideas ?
>>>>>>>>
>>>>>>>> Thx for your support
>>>>>>>>
>>>>>>>>
>>
>>
--
Cordialement,
Thierry e-mail : lenaigst at maelenn.org
More information about the dovecot
mailing list