dovecot + centos 7 + internal ca + hostname change

Matt Bryant matt at the-bryants.net
Thu Sep 13 06:45:14 EEST 2018 

Turns out this was an openldap config issue .. connecting to ldap via
self signed cert and had

/etc/openldap/ldap.conf as


TLS_CACERT /etc/dovecot/ldap_ca
TLS_REQCERT allow
TLS_CACERTDIR    /etc/openldap/certs

SASL_NOCANON    on

Seems what ever gets generated in TLS_CACERTDIR is problem .. commentng
that out seems to have resolved issue ..


> Matt Bryant <mailto:matt at the-bryants.net>
> 13 September 2018 at 12:52 pm
> Not sure if this is dovecot or not but can find very little ie no info
> around on this ... and added the pem file into
> /etc/pki/ca-trust/source/anchors and run udpate-ca-trust .. all works ok
> .. (this is on centos 7 btw)
>
> So wanted to change the hostname away from ip-x-x-x-x to something a
> little bit more descriptive .. but then kaboom .. doesnt work any more
> and the following errors are seen.
>
> Have created and internal CA for domain and added it to
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: master: Dovecot v2.2.33.2
> (d6601f4ec) starting up for imap, pop3, lmtp, sieve (core dumps disabled)
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit:
> 'attr->pValue != NULL' not true at attrs_build
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit:
> 'lexer->tok.field.name && lexer->tok.field.value' not true at
> p11_lexer_next
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'attrs !=
> NULL' not true at attrs_build
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: message repeated 16 times: [
> auth: Error: p11-kit: 'attrs != NULL' not true at attrs_build]
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit:
> 'new_memory != NULL' not true at maybe_expand_array
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't
> be reached at p11_array_push
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't
> be reached at sink_object
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'attrs !=
> NULL' not true at attrs_build
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit:
> 'new_memory != NULL' not true at maybe_expand_array
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't
> be reached at p11_array_push
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't
> be reached at sink_object
> ...
> ...
>
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit:
> 'new_memory != NULL' not true at maybe_expand_array
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't
> be reached at p11_array_push
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't
> be reached at sink_object
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit:
> 'attr->pValue != NULL' not true at attrs_build
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit:
> 'new_memory != NULL' not true at maybe_expand_array
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't
> be reached at p11_array_push
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't
> be reached at sink_object
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: no
> CKA_CLASS attribute found
> Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: couldn't
> load file into objects:
> /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
> Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Error: p11-kit:
> 'attrs != NULL' not true at attrs_build
> Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Fatal: master:
> service(auth-worker): child 14389 killed with signal 11 (core dumps
> disabled)
> Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Error: p11-kit:
> 'attrs != NULL' not true at attrs_build
> Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Fatal: master:
> service(auth-worker): child 14391 killed with signal 11 (core dumps
> disabled)
> Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Error: p11-kit:
> 'attrs != NULL' not true at attrs_build
> Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Fatal: master:
> service(auth-worker): child 14393 killed with signal 11 (core dumps
> disabled)
>
> why would a hostname change make any difference here .. the certs
> specified in dovecot config are all complete in their chain so not sure
> what its trying to do ... set hostname back to original works find .. so
> something is obviously tied or keyed to hostname though cant find
> anything specific
>
> anyone seen anything like this at all ??
>
> rgds
>
> Matt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180913/2d53706c/attachment.html>

More information about the dovecot mailing list