dovecot + centos 7 + internal ca + hostname change
Not sure if this is dovecot or not but can find very little ie no info around on this ... and added the pem file into /etc/pki/ca-trust/source/anchors and run udpate-ca-trust .. all works ok .. (this is on centos 7 btw)
So wanted to change the hostname away from ip-x-x-x-x to something a little bit more descriptive .. but then kaboom .. doesnt work any more and the following errors are seen.
Have created and internal CA for domain and added it to Sep 13 10:42:04 ip-10-0-40-230 dovecot: master: Dovecot v2.2.33.2 (d6601f4ec) starting up for imap, pop3, lmtp, sieve (core dumps disabled) Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'attr->pValue != NULL' not true at attrs_build Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'lexer->tok.field.name && lexer->tok.field.value' not true at p11_lexer_next Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'attrs != NULL' not true at attrs_build Sep 13 10:42:04 ip-10-0-40-230 dovecot: message repeated 16 times: [ auth: Error: p11-kit: 'attrs != NULL' not true at attrs_build] Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'new_memory != NULL' not true at maybe_expand_array Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at p11_array_push Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at sink_object Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'attrs != NULL' not true at attrs_build Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'new_memory != NULL' not true at maybe_expand_array Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at p11_array_push Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at sink_object ... ...
Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'new_memory != NULL' not true at maybe_expand_array Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at p11_array_push Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at sink_object Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'attr->pValue != NULL' not true at attrs_build Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'new_memory != NULL' not true at maybe_expand_array Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at p11_array_push Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at sink_object Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: no CKA_CLASS attribute found Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Error: p11-kit: 'attrs != NULL' not true at attrs_build Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Fatal: master: service(auth-worker): child 14389 killed with signal 11 (core dumps disabled) Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Error: p11-kit: 'attrs != NULL' not true at attrs_build Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Fatal: master: service(auth-worker): child 14391 killed with signal 11 (core dumps disabled) Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Error: p11-kit: 'attrs != NULL' not true at attrs_build Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Fatal: master: service(auth-worker): child 14393 killed with signal 11 (core dumps disabled)
why would a hostname change make any difference here .. the certs specified in dovecot config are all complete in their chain so not sure what its trying to do ... set hostname back to original works find .. so something is obviously tied or keyed to hostname though cant find anything specific
anyone seen anything like this at all ??
rgds
Matt
Turns out this was an openldap config issue .. connecting to ldap via self signed cert and had
/etc/openldap/ldap.conf as
TLS_CACERT /etc/dovecot/ldap_ca TLS_REQCERT allow TLS_CACERTDIR /etc/openldap/certs
SASL_NOCANON on
Seems what ever gets generated in TLS_CACERTDIR is problem .. commentng that out seems to have resolved issue ..
Matt Bryant mailto:matt@the-bryants.net 13 September 2018 at 12:52 pm Not sure if this is dovecot or not but can find very little ie no info around on this ... and added the pem file into /etc/pki/ca-trust/source/anchors and run udpate-ca-trust .. all works ok .. (this is on centos 7 btw)
So wanted to change the hostname away from ip-x-x-x-x to something a little bit more descriptive .. but then kaboom .. doesnt work any more and the following errors are seen.
Have created and internal CA for domain and added it to Sep 13 10:42:04 ip-10-0-40-230 dovecot: master: Dovecot v2.2.33.2 (d6601f4ec) starting up for imap, pop3, lmtp, sieve (core dumps disabled) Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'attr->pValue != NULL' not true at attrs_build Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'lexer->tok.field.name && lexer->tok.field.value' not true at p11_lexer_next Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'attrs != NULL' not true at attrs_build Sep 13 10:42:04 ip-10-0-40-230 dovecot: message repeated 16 times: [ auth: Error: p11-kit: 'attrs != NULL' not true at attrs_build] Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'new_memory != NULL' not true at maybe_expand_array Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at p11_array_push Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at sink_object Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'attrs != NULL' not true at attrs_build Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'new_memory != NULL' not true at maybe_expand_array Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at p11_array_push Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at sink_object ... ...
Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'new_memory != NULL' not true at maybe_expand_array Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at p11_array_push Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at sink_object Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'attr->pValue != NULL' not true at attrs_build Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'new_memory != NULL' not true at maybe_expand_array Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at p11_array_push Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't be reached at sink_object Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: no CKA_CLASS attribute found Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Error: p11-kit: 'attrs != NULL' not true at attrs_build Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Fatal: master: service(auth-worker): child 14389 killed with signal 11 (core dumps disabled) Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Error: p11-kit: 'attrs != NULL' not true at attrs_build Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Fatal: master: service(auth-worker): child 14391 killed with signal 11 (core dumps disabled) Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Error: p11-kit: 'attrs != NULL' not true at attrs_build Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Fatal: master: service(auth-worker): child 14393 killed with signal 11 (core dumps disabled)
why would a hostname change make any difference here .. the certs specified in dovecot config are all complete in their chain so not sure what its trying to do ... set hostname back to original works find .. so something is obviously tied or keyed to hostname though cant find anything specific
anyone seen anything like this at all ??
rgds
Matt
participants (1)
-
Matt Bryant