TLS: unable to get certificate ...
brian
cyruslist at subtropolix.org
Fri Apr 11 13:49:59 EDT 2008
brian wrote:
> cyrus-imapd-2.3.9-7.fc7
> openssl-0.9.8b-15.fc7
>
> I'm trying (and failing) to set up TLS and hope someone might be able to
> shed some light on my problem. Authentication failed so I checked
> maillog and found:
>
> imap[30288]: TLS server engine: cannot load CA data
> imap[30288]: unable to get certificate from
> '/etc/pki/tls/certs/imapcert.pem'
> imap[30288]: TLS server engine: cannot load cert/key data
> imap[30288]: error initializing TLS
>
>
> # ls -l /etc/pki/tls/certs/
> total 456
> -rw-r--r-- 1 root root 2240 Oct 12 10:55 Makefile
> -rw-r--r-- 1 root root 441017 Jun 21 2006 ca-bundle.crt
> -rw-r--r-- 1 root root 3250 Apr 10 23:46 imapcert.pem
> -rw-r--r-- 1 root root 887 Apr 10 23:40 imapkey.pem
> -rw-r--r-- 1 root root 712 Apr 10 23:40 imapreq.pem
> -rwxr-xr-x 1 root root 610 Oct 12 10:55 make-dummy-cert
>
> The file imapcert.pem is the self-signed cert created while following
> Patrick Koetter's SMTP AUTH tutorial[1] As it's easily readable (the
> cert, though Patrick's tut has been terrificly helpful), I'm wondering
> if I've made some blunder in creating it.
>
> # openssl s_server \
> -cert /etc/pki/tls/certs/imapcert.pem \
> -key /etc/pki/tls/certs/imapkey.pem
> Using default temp DH parameters
> ACCEPT
>
> After this, issuing 'Q' does not quit for some reason. But it appears to
> me that the cert is good, though I can't claim to be a wizard with the
> openssl tools (else I wouldn't be requesting help ;-)
>
> Any ideas of what else I should be looking for?
>
> Also, further on in maillog, I see:
> imap[30288]: DBERROR db4: Database handles still open at environment close
> imap[30288]: DBERROR db4: Open database handle:
> /var/lib/imap/tls_sessions.db
> imap[30288]: DBERROR: error exiting application: Invalid argument
>
> Is this something I should be concerned about? I have log_level = 3, FWIW.
>
>
> [1] http://postfix.state-of-mind.de/patrick.koetter/smtpauth/
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
I've just noticed that i neglected to add the client part of the test. I
repeated it and paste here:
# openssl s_server -cert /etc/pki/tls/certs/imapcert.pem -key
/etc/pki/tls/certs/imapkey.pem
[from 2nd terminal]
# sudo netstat -ntpl | grep :4433
tcp 0 0 :::4433 :::* LISTEN 7737/openssl
# openssl s_client -connect localhost:4433 -CApath /etc/pki/CA -CAfile
/etc/pki/CA/cacert.pem
[abbreviated output follows]
CONNECTED(00000003)
depth=1 /C=CA/ST=Ontario/O=zijn
digital/OU=server/CN=MYDOMAIN/emailAddress=root at MYDOMAIN
verify return:1
depth=0 /C=CA/ST=Ontario/L=Stratford/O=zijn
digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster at MYDOMAIN
verify return:1
---
Certificate chain
0 s:/C=CA/ST=Ontario/L=Stratford/O=zijn
digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster at MYDOMAIN
i:/C=CA/ST=Ontario/O=zijn
digital/OU=server/CN=MYDOMAIN/emailAddress=root at MYDOMAIN
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=CA/ST=Ontario/L=Stratford/O=zijn
digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster at MYDOMAIN
issuer=/C=CA/ST=Ontario/O=zijn
digital/OU=server/CN=MYDOMAIN/emailAddress=root at MYDOMAIN
---
No client certificate CA names sent
---
SSL handshake has read 1203 bytes and written 267 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: ...
Session-ID-ctx:
Master-Key: ...
Key-Arg : None
Krb5 Principal: None
Start Time: 1207936431
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
More information about the Info-cyrus
mailing list