error: "The certificate is empty"
A. Schulze
sca at andreasschulze.de
Fri Jun 18 20:20:29 EEST 2021
Hello,
on a farm of multiple identical dovecot servers I start seeing this error on usual POP3S access on one of many servers:
pop3-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty:
I'm running 2.3.14 compiled against openssl-1.1.1k on Debian Buster
Looks like it's this code:
https://github.com/dovecot/core/blob/a5209c83c3a82386c94d466eec5fea394973e88f/src/lib-ssl-iostream/iostream-openssl-common.c#L322
called from here:
https://github.com/dovecot/core/blob/a5209c83c3a82386c94d466eec5fea394973e88f/src/lib-ssl-iostream/iostream-openssl-context.c#L453
To me it /looks/ like a resource problem. The farm handle a million pop3 sessions per hour while only 50k (5%) are using TLS.
The farm is up and running since ~2 weeks. When started, the automatic deployment *did* check that pop3s was working well.
Also today on all farmservers the certificate file is valid, contain expected content.
the server is currently offline but not restarted to allow further investigation.
the setup is quite normal
just checked over all Farmservers:
- doveconf | grep ssl | sha256sum
- sha256sum $( doveconf | grep 'ssl_cert = <' | awk -F\< '{ print $2 }' )
the output is identical.
Any idea is appreciated ...
Andreas
More information about the dovecot
mailing list