Re: Dovecot dsync 'ssl_client_ca'
Please keep responses in list. rm -f /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.
On 2017-02-03 17:00, Thierry wrote:
Hi,
I have removed the '<' :
ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem
But now:
doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Any idea ?
Thx
Yes. The ssl_client_ca_file is not actually expecting <, just file name. Aki
On 2017-02-03 15:13, Thierry wrote:
Hi,
I have made change:
ssl_protocols = !SSLv2 !SSLv3 ssl = required verbose_ssl = no ssl_key =
# Create a listener for doveadm-server service doveadm { user = vmail inet_listener { port = 12345 ssl= yes } }
and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use doveadm_port
And now:
Feb 03 14:11:16 doveadm(user1@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Thx for your support
Le vendredi 3 février 2017 à 11:34:43, vous écriviez :
Hello, On 02/03/2017 08:51 AM, Thierry wrote:
Hello,
Still working with my dsync pb. I have done a clone (vmware) of my email server. Today I have two strictly identical emails servers (server1 (main) and server2 (bck) (except IP, hostname and mail_replica).
The ssl config on my both server:
ssl_protocols = !SSLv2 !SSLv3 ssl = required verbose_ssl = no ssl_key =
Are they on the right order ?
mail_replica = tcps:server1@domain.ltd and tcps:server2@domain.ltd
There is trafic on my iptables rules on my both servers:
60 3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711
My error message from server1 (main server):
Feb 03 08:38:08 doveadm(user1@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Feb 03 08:42:35 doveadm(user2@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Feb 03 08:42:35 doveadm(user3@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Feb 03 08:42:35 doveadm(user4@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
No logs from server2
Any ideas ?
Thx for your support
Hi,
I have removed it on both server and on both server I do have:
ssl-params: Info: Generating SSL parameters ssl-params: Info: SSL parameters regeneration completed
But still:
Feb 03 16:36:28 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
Feb 03 16:36:28 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Thx
Le vendredi 3 février 2017 à 17:09:52, vous écriviez :
Please keep responses in list. rm -f /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.
On 2017-02-03 17:00, Thierry wrote:
Hi,
I have removed the '<' :
ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem
But now:
doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Any idea ?
Thx
Yes. The ssl_client_ca_file is not actually expecting <, just file name. Aki
On 2017-02-03 15:13, Thierry wrote:
Hi,
I have made change:
ssl_protocols = !SSLv2 !SSLv3 ssl = required verbose_ssl = no ssl_key =
# Create a listener for doveadm-server service doveadm { user = vmail inet_listener { port = 12345 ssl= yes } }
and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use doveadm_port
And now:
Feb 03 14:11:16 doveadm(user1@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Thx for your support
Le vendredi 3 février 2017 à 11:34:43, vous écriviez :
Hello, On 02/03/2017 08:51 AM, Thierry wrote:
Hello,
Still working with my dsync pb. I have done a clone (vmware) of my email server. Today I have two strictly identical emails servers (server1 (main) and server2 (bck) (except IP, hostname and mail_replica).
The ssl config on my both server:
ssl_protocols = !SSLv2 !SSLv3 ssl = required verbose_ssl = no ssl_key =
Are they on the right order ?
mail_replica = tcps:server1@domain.ltd and tcps:server2@domain.ltd
There is trafic on my iptables rules on my both servers:
60 3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711
My error message from server1 (main server):
Feb 03 08:38:08 doveadm(user1@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Feb 03 08:42:35 doveadm(user2@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Feb 03 08:42:35 doveadm(user3@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Feb 03 08:42:35 doveadm(user4@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
No logs from server2
Any ideas ?
Thx for your support
-- Cordialement, Thierry e-mail : lenaigst@maelenn.org
Hi Aki,
I do not have any error message but (on both server):
doveadm replicator status '*' doveadm(root): Fatal: net_connect_unix(/var/run/dovecot/replicator-doveadm) failed: Connection refused
Thx
Le vendredi 3 février 2017 à 17:09:52, vous écriviez :
Please keep responses in list. rm -f /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.
On 2017-02-03 17:00, Thierry wrote:
Hi,
I have removed the '<' :
ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem
But now:
doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Any idea ?
Thx
Yes. The ssl_client_ca_file is not actually expecting <, just file name. Aki
On 2017-02-03 15:13, Thierry wrote:
Hi,
I have made change:
ssl_protocols = !SSLv2 !SSLv3 ssl = required verbose_ssl = no ssl_key =
# Create a listener for doveadm-server service doveadm { user = vmail inet_listener { port = 12345 ssl= yes } }
and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use doveadm_port
And now:
Feb 03 14:11:16 doveadm(user1@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Thx for your support
Le vendredi 3 février 2017 à 11:34:43, vous écriviez :
Hello, On 02/03/2017 08:51 AM, Thierry wrote:
Hello,
Still working with my dsync pb. I have done a clone (vmware) of my email server. Today I have two strictly identical emails servers (server1 (main) and server2 (bck) (except IP, hostname and mail_replica).
The ssl config on my both server:
ssl_protocols = !SSLv2 !SSLv3 ssl = required verbose_ssl = no ssl_key =
Are they on the right order ?
mail_replica = tcps:server1@domain.ltd and tcps:server2@domain.ltd
There is trafic on my iptables rules on my both servers:
60 3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711
My error message from server1 (main server):
Feb 03 08:38:08 doveadm(user1@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Feb 03 08:42:35 doveadm(user2@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Feb 03 08:42:35 doveadm(user3@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Feb 03 08:42:35 doveadm(user4@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
No logs from server2
Any ideas ?
Thx for your support
-- Cordialement, Thierry e-mail : lenaigst@maelenn.org
Dear Thierry,
- Have you checked that port 12345 as specified below is open/forwarded and actually /used/ by dovecot (e.g., use "netstat -tulpn|grep dovecot")?
- Did you retrace your steps and have you verified that synchronisation works with ssl disabled?
- Did you verify your certificate files (e.g., "openssl verify -verbose -CAfile /etc/ssl/certs/GandiCA2.pem /etc/ssl/certs/key.crt")?
Personally, I prefer to use a single, specialised tool to manage certificates/encryption (which in my case is stunnel); all other programs are set up using (link-)local ip addresses only. If everything but encryption works with your setup, this might be a possible "workaround". (Apart from that, stunnel debug mode is very detailed and can help you to rule out problems with the certificates/connections between two nodes.) And once the latter works but the dovecot setup below still does not, it would also point to a problem with certificate handling by dovecot (could be library related).
KR, Markus
Am 06.02.2017 um 07:36 schrieb Thierry:
Hi Aki,
I do not have any error message but (on both server):
doveadm replicator status '*' doveadm(root): Fatal: net_connect_unix(/var/run/dovecot/replicator-doveadm) failed: Connection refused
Thx
Le vendredi 3 février 2017 à 17:09:52, vous écriviez :
Please keep responses in list. rm -f /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.
On 2017-02-03 17:00, Thierry wrote:
Hi,
I have removed the '<' :
ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem
But now:
doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Any idea ?
Thx
Yes. The ssl_client_ca_file is not actually expecting <, just file name. Aki On 2017-02-03 15:13, Thierry wrote:
Hi,
I have made change:
ssl_protocols = !SSLv2 !SSLv3 ssl = required verbose_ssl = no ssl_key =
# Create a listener for doveadm-server service doveadm { user = vmail inet_listener { port = 12345 ssl= yes } }
and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use doveadm_port
And now:
Feb 03 14:11:16 doveadm(user1@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Thx for your support
Le vendredi 3 février 2017 à 11:34:43, vous écriviez :
Hello, On 02/03/2017 08:51 AM, Thierry wrote: > Hello, > > Still working with my dsync pb. > I have done a clone (vmware) of my email server. > Today I have two strictly identical emails servers (server1 > (main) and server2 (bck) (except IP, hostname and mail_replica). > > The ssl config on my both server: > > ssl_protocols = !SSLv2 !SSLv3 > ssl = required > verbose_ssl = no > ssl_key = ssl_cert = ssl_ca = This config is working for my email client and my email web > interface ... > > Are they on the right order ? > > mail_replica = tcps:server1@domain.ltd and tcps:server2@domain.ltd > > There is trafic on my iptables rules on my both servers: > > 60 3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711 > > > > My error message from server1 (main server): > > Feb 03 08:38:08 doveadm(user1@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) > Feb 03 08:42:35 doveadm(user2@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) > Feb 03 08:42:35 doveadm(user3@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) > Feb 03 08:42:35 doveadm(user4@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) > > No logs from server2 > > Any ideas ? > > Thx for your support > >
Bonjour Markus,
- Have you checked that port 12345 as specified below is open/forwarded and actually /used/ by dovecot (e.g., use "netstat -tulpn|grep dovecot")?
Yes of course:
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 22025/dovecot tcp6 0 0 :::12345 :::* LISTEN 22025/dovecot
- Did you retrace your steps and have you verified that synchronisation works with ssl disabled?
This dovecot is working well with my email client and web mail interface, I would prefer not to start playing with this config file ...
- Did you verify your certificate files (e.g., "openssl verify -verbose -CAfile /etc/ssl/certs/GandiCA2.pem /etc/ssl/certs/key.crt")?
yes: openssl verify -verbose -CAfile /etc/ssl/certs/GandiCA2.pem /etc/ssl/certs/key.crt /etc/ssl/certs/key.crt: OK
Personally, I prefer to use a single, specialised tool to manage certificates/encryption (which in my case is stunnel); all other programs are set up using (link-)local ip addresses only. If everything but encryption works with your setup, this might be a possible "workaround". (Apart from that, stunnel debug mode is very detailed and can help you to rule out problems with the certificates/connections between two nodes.) And once the latter works but the dovecot setup below still does not, it would also point to a problem with certificate handling by dovecot (could be library related).
This morning logs:
Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
KR, Markus
Thx
Am 06.02.2017 um 07:36 schrieb Thierry:
Hi Aki,
I do not have any error message but (on both server):
doveadm replicator status '*' doveadm(root): Fatal: net_connect_unix(/var/run/dovecot/replicator-doveadm) failed: Connection refused
Thx
Le vendredi 3 février 2017 à 17:09:52, vous écriviez :
Please keep responses in list. rm -f /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.
On 2017-02-03 17:00, Thierry wrote:
Hi,
I have removed the '<' :
ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem
But now:
doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Any idea ?
Thx
Yes. The ssl_client_ca_file is not actually expecting <, just file name. Aki On 2017-02-03 15:13, Thierry wrote:
Hi,
I have made change:
ssl_protocols = !SSLv2 !SSLv3 ssl = required verbose_ssl = no ssl_key =
# Create a listener for doveadm-server service doveadm { user = vmail inet_listener { port = 12345 ssl= yes } }
and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use doveadm_port
And now:
Feb 03 14:11:16 doveadm(user1@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Thx for your support
Le vendredi 3 février 2017 à 11:34:43, vous écriviez :
> Hello, > On 02/03/2017 08:51 AM, Thierry wrote: >> Hello, >> >> Still working with my dsync pb. >> I have done a clone (vmware) of my email server. >> Today I have two strictly identical emails servers (server1 >> (main) and server2 (bck) (except IP, hostname and mail_replica). >> >> The ssl config on my both server: >> >> ssl_protocols = !SSLv2 !SSLv3 >> ssl = required >> verbose_ssl = no >> ssl_key = > ssl_cert = > ssl_ca = I think it should be ssl_client_ca_file = > > This config is working for my email client and my email web >> interface ... >> >> Are they on the right order ? >> >> mail_replica = tcps:server1@domain.ltd and tcps:server2@domain.ltd >> >> There is trafic on my iptables rules on my both servers: >> >> 60 3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711 >> >> >> >> My error message from server1 (main server): >> >> Feb 03 08:38:08 doveadm(user1@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >> Feb 03 08:42:35 doveadm(user2@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >> Feb 03 08:42:35 doveadm(user3@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >> Feb 03 08:42:35 doveadm(user4@domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >> >> No logs from server2 >> >> Any ideas ? >> >> Thx for your support >> >>
-- Cordialement, Thierry e-mail : lenaigst@maelenn.org
Dear Thierry,
(I'm omitting the remainder of your post because the below has a separate root cause from what has been assumed.)
[...] This morning logs:
Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL [...]
Did I miss these lines before or did the messages change? In either case, have a look at http://wiki.dovecot.org/SSL/DovecotConfiguration#SSL_security_settings which explains how to fix this in detail--if you're lucky, your problems might be gone afterwards.
KR, Markus
Bonjour Markus,
Things are working but without SSL. I will have a look and come back to you.
Thx
Le mercredi 8 février 2017 à 00:31:08, vous écriviez :
Dear Thierry,
(I'm omitting the remainder of your post because the below has a separate root cause from what has been assumed.)
[...] This morning logs:
Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL [...]
Did I miss these lines before or did the messages change? In either case, have a look at http://wiki.dovecot.org/SSL/DovecotConfiguration#SSL_security_settings which explains how to fix this in detail--if you're lucky, your problems might be gone afterwards.
KR, Markus
-- Cordialement, Thierry e-mail : lenaigst@maelenn.org
participants (3)
-
Aki Tuomi
-
Markus Ueberall
-
Thierry