Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
Hi!
I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to 2:2.2.28-1~auto+8) I now I'm getting an error:
Mar 20 13:25:58 mproxy dovecot: auth: Error: imapc(email.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
I checked, and alas, I had
ssl_client_ca_dir = ssl_client_ca_file =
So I set:
ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt
But I'm still getting the error above.
I addition, dovecot is crashing with SIGSEGV:
Mar 20 13:28:23 mproxy dovecot: auth: Error: imapc(email.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Mar 20 13:28:23 mproxy dovecot: auth: Error: imapc(email.charite.de:993): No SSL context Mar 20 13:28:23 mproxy dovecot: auth: Error: imap(la***sch,87.77.180.61): Disconnected from server Mar 20 13:28:23 mproxy postfix/submission/smtpd[32682]: warning: zb43d.pia.fu-berlin.de[87.77.180.61]: SASL PLAIN authentication failed: Connection lost to authentication server Mar 20 13:28:23 mproxy dovecot: auth: Fatal: master: service(auth): child 32685 killed with signal 11 (core dumped)
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
- Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>:
Hi!
I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to 2:2.2.28-1~auto+8) I now I'm getting an error:
I was able to determine the last working version: 2:2.2.28-1~auto+6 and the first "broken" version: 2:2.2.28-1~auto+7
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
- Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>:
- Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>:
Hi!
I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to 2:2.2.28-1~auto+8) I now I'm getting an error:
I was able to determine the last working version: 2:2.2.28-1~auto+6 and the first "broken" version: 2:2.2.28-1~auto+7
2:2.2.28-1~auto+7 CHANGES file (http://xi.dovecot.fi/debian/pool/jessie-auto/dovecot-2.2/dovecot_2.2.28-1~au...) says:
New revision (a39b5b2852f2) in dovecot Git repository
... - lib-ssl-iostream: Ensure verify_remote_cert is true - lib-ssl-iostream: Fix ambiguity with SSL settings ...
I think one of these two could be the culprit
Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
- Aki Tuomi <aki.tuomi@dovecot.fi>:
On 20.03.2017 14:30, Ralf Hildebrandt wrote:
ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt
Leave the < out. It is misleading, I know, but it does say file. =)
Makes no difference:
# doveconf |fgrep ssl_client_ca ssl_client_ca_dir = ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt
and with auto8 I still get:
Mar 20 15:38:20 mproxy dovecot: auth: Error: imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Mar 20 15:38:20 mproxy dovecot: auth: Error: imapc(exchange-imap.charite.de:993): No SSL context Mar 20 15:38:20 mproxy dovecot: auth: Error: imap(hildeb,141.42.206.36,<YWuNeipLKLGNKs4k>): Disconnected from server Mar 20 15:38:20 mproxy dovecot: imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=52992, EOF) Mar 20 15:38:20 mproxy dovecot: auth: Fatal: master: service(auth): child 52990 killed with signal 11 (core dumped)
going back to auto6 and everything is peachy again.
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
On 20.03.2017 16:40, Ralf Hildebrandt wrote:
- Aki Tuomi <aki.tuomi@dovecot.fi>:
On 20.03.2017 14:30, Ralf Hildebrandt wrote:
ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt Leave the < out. It is misleading, I know, but it does say file. =)
Makes no difference:
# doveconf |fgrep ssl_client_ca ssl_client_ca_dir = ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt
and with auto8 I still get:
Mar 20 15:38:20 mproxy dovecot: auth: Error: imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Mar 20 15:38:20 mproxy dovecot: auth: Error: imapc(exchange-imap.charite.de:993): No SSL context Mar 20 15:38:20 mproxy dovecot: auth: Error: imap(hildeb,141.42.206.36,<YWuNeipLKLGNKs4k>): Disconnected from server Mar 20 15:38:20 mproxy dovecot: imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=52992, EOF) Mar 20 15:38:20 mproxy dovecot: auth: Fatal: master: service(auth): child 52990 killed with signal 11 (core dumped)
going back to auto6 and everything is peachy again.
Hi!
Could you send us the gdb bt full backtrace for the core file? Also, can you send doveconf -n?
Aki
participants (2)
-
Aki Tuomi
-
Ralf Hildebrandt