Dovecot dsync 'ssl_client_ca'

Thierry lenaigst at maelenn.org
Tue Feb 7 05:21:49 UTC 2017 

Bonjour Markus,

> - Have you checked that port 12345 as specified below is open/forwarded
> and actually /used/ by dovecot (e.g., use "netstat -tulpn|grep dovecot")?

Yes of course: 

tcp        0      0 0.0.0.0:12345           0.0.0.0:*               LISTEN      22025/dovecot
tcp6       0      0 :::12345                :::*                    LISTEN      22025/dovecot


> - Did you retrace your steps and have you verified that synchronisation
> works with ssl disabled?

This  dovecot  is  working  well  with  my email  client and web mail 
interface,  I would prefer not to start playing with this config file 
...

> - Did you verify your certificate files (e.g., "openssl verify -verbose
> -CAfile /etc/ssl/certs/GandiCA2.pem /etc/ssl/certs/key.crt")?

yes:  openssl  verify  -verbose  -CAfile  /etc/ssl/certs/GandiCA2.pem /etc/ssl/certs/key.crt
/etc/ssl/certs/key.crt: OK

> Personally, I prefer to use a single, specialised tool to manage
> certificates/encryption (which in my case is stunnel); all other
> programs are set up using (link-)local ip addresses only. If everything
> but encryption works with your setup, this might be a possible
> "workaround". (Apart from that, stunnel debug mode is very detailed and
> can help you to rule out problems with the certificates/connections
> between two nodes.)
> And once the latter works but the dovecot setup below still does not, it
> would also point to a problem with certificate handling by dovecot
> (could be library related).

This morning logs:

Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL




> KR, Markus

Thx
> Am 06.02.2017 um 07:36 schrieb Thierry:
>> Hi Aki,
>>
>> I do  not have any error message but (on both server):
>>
>> doveadm replicator status '*'
>> doveadm(root): Fatal: net_connect_unix(/var/run/dovecot/replicator-doveadm) failed: Connection refused
>>
>> Thx
>>
>>
>> Le vendredi 3 février 2017 à 17:09:52, vous écriviez :
>>
>>> Please keep responses in list. rm -f 
>>> /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.
>>
>>> On 2017-02-03 17:00, Thierry wrote:
>>>> Hi,
>>>>
>>>> I have removed the '<' :
>>>>
>>>> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem
>>>>
>>>> But now:
>>>>
>>>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
>>>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>>>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
>>>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>>>>
>>>> Any idea ?
>>>>
>>>> Thx
>>>>
>>>>> Yes. The ssl_client_ca_file is not actually expecting <, just file name.
>>>>> Aki
>>>>> On 2017-02-03 15:13, Thierry wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I have made change:
>>>>>>
>>>>>> ssl_protocols = !SSLv2 !SSLv3
>>>>>> ssl = required
>>>>>> verbose_ssl = no
>>>>>> ssl_key = </etc/ssl/private/private.key
>>>>>> ssl_cert = </etc/ssl/certs/key.crt
>>>>>> ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem
>>>>>>
>>>>>>
>>>>>> # Create a listener for doveadm-server
>>>>>> service doveadm {
>>>>>>     user = vmail
>>>>>>     inet_listener {
>>>>>>       port = 12345
>>>>>>       ssl= yes
>>>>>>     }
>>>>>> }
>>>>>>
>>>>>> and  doveadm_port = 12345    // mail_replica = tcps:server2.domain.ltd # use doveadm_port
>>>>>>
>>>>>> And now:
>>>>>>
>>>>>> Feb 03 14:11:16 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long
>>>>>> Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
>>>>>> Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>>>>>>
>>>>>> Thx for your support
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Le vendredi 3 février 2017 à 11:34:43, vous écriviez :
>>>>>>
>>>>>>> Hello,
>>>>>>> On 02/03/2017 08:51 AM, Thierry wrote:
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> Still working with my dsync pb.
>>>>>>>> I have done a clone (vmware) of my email server.
>>>>>>>> Today   I   have   two  strictly  identical  emails  servers (server1
>>>>>>>> (main) and server2 (bck) (except IP, hostname and  mail_replica).
>>>>>>>>
>>>>>>>> The ssl config on my both server:
>>>>>>>>
>>>>>>>> ssl_protocols = !SSLv2 !SSLv3
>>>>>>>> ssl = required
>>>>>>>> verbose_ssl = no
>>>>>>>> ssl_key = </etc/ssl/private/private.key
>>>>>>>> ssl_cert = </etc/ssl/certs/key.crt
>>>>>>>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem
>>>>>>> I think it should be ssl_client_ca_file =
>>>>>>> </etc/ssl/certs/GandiStandardSSLCA2.pem for you.
>>>>>>>> This  config  is  working   for  my   email  client  and my email web
>>>>>>>> interface ...
>>>>>>>>
>>>>>>>> Are they on the right order ?
>>>>>>>>
>>>>>>>> mail_replica = tcps:server1 at domain.ltd and tcps:server2 at domain.ltd
>>>>>>>>
>>>>>>>> There is trafic on my iptables rules on my both  servers:
>>>>>>>>
>>>>>>>> 60  3600 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4711
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> My  error message from server1 (main server):
>>>>>>>>
>>>>>>>> Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>>>> Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>>>> Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>>>> Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
>>>>>>>>
>>>>>>>> No logs from server2
>>>>>>>>
>>>>>>>> Any ideas ?
>>>>>>>>
>>>>>>>> Thx for your support
>>>>>>>>
>>>>>>>>
>>
>>



-- 
Cordialement,
 Thierry                            e-mail : lenaigst at maelenn.org

More information about the dovecot mailing list