TLS: unable to get certificate ...

brian cyruslist at subtropolix.org
Sat Apr 12 01:01:19 EDT 2008 

Goetz Babin-Ebell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> brian schrieb:
> | brian wrote:
> |> cyrus-imapd-2.3.9-7.fc7
> |> openssl-0.9.8b-15.fc7
> |>
> |> I'm trying (and failing) to set up TLS and hope someone might be able to
> |> shed some light on my problem. Authentication failed so I checked
> |> maillog and found:
> |>
> |> imap[30288]: TLS server engine: cannot load CA data
> This            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> |> imap[30288]: unable to get certificate from
> |> '/etc/pki/tls/certs/imapcert.pem'
> and this ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Is your first hint.

Yes, it was the first thing I noticed too. However, the fact that that 
file was easily readable confused me as to what the problem actually 
was. I thought that perhaps the file, while readable, contained garbage.


> |> The file imapcert.pem is the self-signed cert created while following
> |> Patrick Koetter's SMTP AUTH tutorial[1] As it's easily readable (the
> |> cert, though Patrick's tut has been terrificly helpful), I'm wondering
> |> if I've made some blunder in creating it.
> While you can use self signed certs for server authentication,
> generally speaking it is not good to do.
> It is better to create a CA certificate and sign your server certificate
> with it.
> 
> Arg.
> I wish people would stop using self signed certificates in their
> tutorials.
> Creating a CA and using it to sign the certificates are
> just two to  three steps more and it gives people a hint how
> to set up things correctly...

Maybe I've got the terminology wrong then. By "self-signed" I mean that 
I did create my own CA, then created and signed a cert with that.

   # CA_nodes -newca
   # CA_nodes -newreq
   # CA_nodes -sign

I'm not aware of any other kind of "self-signed" certificate. I thought 
it was either signed by Thawte, etc. or by one's own CA.


> 
> | I've just noticed that i neglected to add the client part of the test. I
> | repeated it and paste here:
> |
> | # openssl s_server -cert /etc/pki/tls/certs/imapcert.pem -key
> | /etc/pki/tls/certs/imapkey.pem
> |
> | [from 2nd terminal]
> | # sudo netstat -ntpl | grep :4433
> | tcp  0  0  :::4433  :::*  LISTEN  7737/openssl
> |
> | # openssl s_client -connect localhost:4433 -CApath /etc/pki/CA -CAfile
> | /etc/pki/CA/cacert.pem
> While you can use self signed certificates for server authentication,
> you can not use self signed certificates for client authentication.
> (besides: you didn't tell the server to do client authentication...)
> Additionally:
> On your server you have a self signed cert and now you tell your
> client to verify it against CA certificates given here ?
> 
> | [abbreviated output follows]
> |
> | CONNECTED(00000003)
> | depth=1 /C=CA/ST=Ontario/O=zijn
> | digital/OU=server/CN=MYDOMAIN/emailAddress=root at MYDOMAIN
> | verify return:1
> | depth=0 /C=CA/ST=Ontario/L=Stratford/O=zijn
> | digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster at MYDOMAIN
> | verify return:1
> | ---
> | Certificate chain
> |   0 s:/C=CA/ST=Ontario/L=Stratford/O=zijn
> | digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster at MYDOMAIN
> |     i:/C=CA/ST=Ontario/O=zijn
> | digital/OU=server/CN=MYDOMAIN/emailAddress=root at MYDOMAIN
> OK, this is NOT a self signed certificate.
> 

What tells you that?


> | ---
> | Server certificate
> | -----BEGIN CERTIFICATE-----
> | ...
> | -----END CERTIFICATE-----
> | subject=/C=CA/ST=Ontario/L=Stratford/O=zijn
> | digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster at MYDOMAIN
> | issuer=/C=CA/ST=Ontario/O=zijn
> | digital/OU=server/CN=MYDOMAIN/emailAddress=root at MYDOMAIN
> | ---
> | No client certificate CA names sent
> ~  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> You want to do client authentication, but you didn't tell
> your server which CAs you accept for signing them ?
> 
> It is obvious that you don't know what you are doing.

Sure, that's why I've emailed this list looking for help. While I seem 
to have fixed the problem (see below) there are aspects of this that are 
more than a little bit hazy. I'd like to understand this a lot better.

> If you would tell us what you want to do,
> we might be able to tell you what you should do.
> 

OK, I'll start again from the beginning: I wish to incorporate TLS 
support into Postfix/Cyrus-IMAP. I don't feel that a signed cert from 
Thawte, etc. is necessary, as I'm not expecting to have any strangers 
with accounts on this machine. Thus, I followed Patrick's tutorial in 
which he explains how to create one's own CA and use that to sign a 
certificate.

I was under the impression that *that* was a self-signed certificate.

The only thing I wanted to do with s_server was see if it would complain 
about imapcert.pem being unusable because the msg in maillog led me to 
believe that that was the problem.

This seems to have been resolved by copying cacert.pem to a directory 
readable by the mail group. Apparently, imapcert.pem is, in fact, ok.

b

More information about the Info-cyrus mailing list