Dovecot dsync 'ssl_client_ca'

Aki Tuomi aki.tuomi at dovecot.fi
Fri Feb 3 15:09:52 UTC 2017


Please keep responses in list. rm -f 
/var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.


On 2017-02-03 17:00, Thierry wrote:
> Hi,
>
> I have removed the '<' :
>
> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem
>
> But now:
>
> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>
> Any idea ?
>
> Thx
>
>> Yes. The ssl_client_ca_file is not actually expecting <, just file name.
>> Aki
>
>> On 2017-02-03 15:13, Thierry wrote:
>>> Hi,
>>>
>>> I have made change:
>>>
>>> ssl_protocols = !SSLv2 !SSLv3
>>> ssl = required
>>> verbose_ssl = no
>>> ssl_key = </etc/ssl/private/private.key
>>> ssl_cert = </etc/ssl/certs/key.crt
>>> ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem
>>>
>>>
>>> # Create a listener for doveadm-server
>>> service doveadm {
>>>     user = vmail
>>>     inet_listener {
>>>       port = 12345
>>>       ssl= yes
>>>     }
>>> }
>>>
>>> and  doveadm_port = 12345    // mail_replica = tcps:server2.domain.ltd # use doveadm_port
>>>
>>> And now:
>>>
>>> Feb 03 14:11:16 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long
>>> Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
>>> Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>>>
>>> Thx for your support
>>>
>>>
>>>
>>>
>>> Le vendredi 3 février 2017 à 11:34:43, vous écriviez :
>>>
>>>> Hello,
>>>> On 02/03/2017 08:51 AM, Thierry wrote:
>>>>> Hello,
>>>>>
>>>>> Still working with my dsync pb.
>>>>> I have done a clone (vmware) of my email server.
>>>>> Today   I   have   two  strictly  identical  emails  servers (server1
>>>>> (main) and server2 (bck) (except IP, hostname and  mail_replica).
>>>>>
>>>>> The ssl config on my both server:
>>>>>
>>>>> ssl_protocols = !SSLv2 !SSLv3
>>>>> ssl = required
>>>>> verbose_ssl = no
>>>>> ssl_key = </etc/ssl/private/private.key
>>>>> ssl_cert = </etc/ssl/certs/key.crt
>>>>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem
>>>> I think it should be ssl_client_ca_file =
>>>> </etc/ssl/certs/GandiStandardSSLCA2.pem for you.
>>>>> This  config  is  working   for  my   email  client  and my email web
>>>>> interface ...
>>>>>
>>>>> Are they on the right order ?
>>>>>
>>>>> mail_replica = tcps:server1 at domain.ltd and tcps:server2 at domain.ltd
>>>>>
>>>>> There is trafic on my iptables rules on my both  servers:
>>>>>
>>>>> 60  3600 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4711
>>>>>
>>>>>
>>>>>
>>>>> My  error message from server1 (main server):
>>>>>
>>>>> Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>> Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>> Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>> Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>
>>>>> No logs from server2
>>>>>
>>>>> Any ideas ?
>>>>>
>>>>> Thx for your support
>>>>>
>>>>>
>>>



More information about the dovecot mailing list