Dovecot dsync 'ssl_client_ca'

Thierry lenaigst at maelenn.org
Mon Feb 6 06:36:20 UTC 2017


Hi Aki,

I do  not have any error message but (on both server):

doveadm replicator status '*'
doveadm(root): Fatal: net_connect_unix(/var/run/dovecot/replicator-doveadm) failed: Connection refused

Thx


Le vendredi 3 février 2017 à 17:09:52, vous écriviez :

> Please keep responses in list. rm -f 
> /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.


> On 2017-02-03 17:00, Thierry wrote:
>> Hi,
>>
>> I have removed the '<' :
>>
>> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem
>>
>> But now:
>>
>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>>
>> Any idea ?
>>
>> Thx
>>
>>> Yes. The ssl_client_ca_file is not actually expecting <, just file name.
>>> Aki
>>
>>> On 2017-02-03 15:13, Thierry wrote:
>>>> Hi,
>>>>
>>>> I have made change:
>>>>
>>>> ssl_protocols = !SSLv2 !SSLv3
>>>> ssl = required
>>>> verbose_ssl = no
>>>> ssl_key = </etc/ssl/private/private.key
>>>> ssl_cert = </etc/ssl/certs/key.crt
>>>> ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem
>>>>
>>>>
>>>> # Create a listener for doveadm-server
>>>> service doveadm {
>>>>     user = vmail
>>>>     inet_listener {
>>>>       port = 12345
>>>>       ssl= yes
>>>>     }
>>>> }
>>>>
>>>> and  doveadm_port = 12345    // mail_replica = tcps:server2.domain.ltd # use doveadm_port
>>>>
>>>> And now:
>>>>
>>>> Feb 03 14:11:16 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long
>>>> Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
>>>> Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>>>>
>>>> Thx for your support
>>>>
>>>>
>>>>
>>>>
>>>> Le vendredi 3 février 2017 à 11:34:43, vous écriviez :
>>>>
>>>>> Hello,
>>>>> On 02/03/2017 08:51 AM, Thierry wrote:
>>>>>> Hello,
>>>>>>
>>>>>> Still working with my dsync pb.
>>>>>> I have done a clone (vmware) of my email server.
>>>>>> Today   I   have   two  strictly  identical  emails  servers (server1
>>>>>> (main) and server2 (bck) (except IP, hostname and  mail_replica).
>>>>>>
>>>>>> The ssl config on my both server:
>>>>>>
>>>>>> ssl_protocols = !SSLv2 !SSLv3
>>>>>> ssl = required
>>>>>> verbose_ssl = no
>>>>>> ssl_key = </etc/ssl/private/private.key
>>>>>> ssl_cert = </etc/ssl/certs/key.crt
>>>>>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem
>>>>> I think it should be ssl_client_ca_file =
>>>>> </etc/ssl/certs/GandiStandardSSLCA2.pem for you.
>>>>>> This  config  is  working   for  my   email  client  and my email web
>>>>>> interface ...
>>>>>>
>>>>>> Are they on the right order ?
>>>>>>
>>>>>> mail_replica = tcps:server1 at domain.ltd and tcps:server2 at domain.ltd
>>>>>>
>>>>>> There is trafic on my iptables rules on my both  servers:
>>>>>>
>>>>>> 60  3600 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4711
>>>>>>
>>>>>>
>>>>>>
>>>>>> My  error message from server1 (main server):
>>>>>>
>>>>>> Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>> Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>> Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>> Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>>
>>>>>> No logs from server2
>>>>>>
>>>>>> Any ideas ?
>>>>>>
>>>>>> Thx for your support
>>>>>>
>>>>>>
>>>>



-- 
Cordialement,
 Thierry                            e-mail : lenaigst at maelenn.org



More information about the dovecot mailing list