TLS: unable to get certificate ...

brian cyruslist at subtropolix.org
Sat Apr 12 12:33:09 EDT 2008


Goetz Babin-Ebell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> brian schrieb:
> | Goetz Babin-Ebell wrote:
> |> brian schrieb:
> |> | brian wrote:
> 
> |> |> I'm trying (and failing) to set up TLS and hope someone might be
> able to
> |> |> shed some light on my problem. Authentication failed so I checked
> |> |> maillog and found:
> |> |>
> |> |> imap[30288]: TLS server engine: cannot load CA data
> |> This            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> Looking in the last source I have here (2.3.8), I'm definitively not
> happy about the code that generates that message:
> * If you don't do SSL client authentication, this message
> ~  is only confusing noise.
> * If you do SSL client authentication this message is not an
> ~  info but an error and should be logged as one.
> I opened a ticket and sent a patch in 2005.
> Unfortunately it wasn't accepted (at least the last time I checked...)
> 
> |> |> imap[30288]: unable to get certificate from
> |> |> '/etc/pki/tls/certs/imapcert.pem'
> |> and this ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> |> Is your first hint.
> |
> | Yes, it was the first thing I noticed too. However, the fact that that
> | file was easily readable confused me as to what the problem actually
> | was. I thought that perhaps the file, while readable, contained garbage.
> 
> There is a big difference between CA certificates and
> end entity (server) certificates.
> Here cyrus tried to load a CA certificate,
> but imapcert.pem contains only the server certificate.
> 
> OK, I was wrong:
> these two error lines are unrelated.
> The second failing because the first failed may be an result
> of cyrus not clearing the OpenSSL error stack between
> the two lines.
> 
> Any developer listening ?
> calling ERR_clear_error(); on entering set_cert_stuff() (tls.c)
> should fix this...
> (If you're building cyrus from source,
> ~ you could insert that line and try again)

That's what I was wondering, also, after coming across this last night:
http://weblog.elwing.org/elwing/index.php/archive/2007/07/18/cyrus-imap-and-certificates/


> 
> |> I wish people would stop using self signed certificates in their
> |> tutorials.
> |> Creating a CA and using it to sign the certificates are
> |> just two to  three steps more and it gives people a hint how
> |> to set up things correctly...
> |
> | Maybe I've got the terminology wrong then. By "self-signed" I mean that
> | I did create my own CA, then created and signed a cert with that.
> |
> |    # CA_nodes -newca
> |    # CA_nodes -newreq
> |    # CA_nodes -sign
> 
> A self signed certificate is a certificate that is signed by the
> same key that is in the certificate.
> 
> What you have created is a normal certificate that
> was signed by a local CA.
> 
> | I'm not aware of any other kind of "self-signed" certificate. I thought
> | it was either signed by Thawte, etc. or by one's own CA.
> 
> ... or signed by the same key that is in the certificate
> ~ (signed by itself)

Thank you. I think it's becoming clearer now.

> 
> |> | [abbreviated output follows]
> |> |
> |> | CONNECTED(00000003)
> |> | depth=1 /C=CA/ST=Ontario/O=zijn
> |> | digital/OU=server/CN=MYDOMAIN/emailAddress=root at MYDOMAIN
> |> | verify return:1
> |> | depth=0 /C=CA/ST=Ontario/L=Stratford/O=zijn
> |> | digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster at MYDOMAIN
> |> | verify return:1
> |> | ---
> |> | Certificate chain
> |> |   0 s:/C=CA/ST=Ontario/L=Stratford/O=zijn
> |> | digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster at MYDOMAIN
> |> |     i:/C=CA/ST=Ontario/O=zijn
> |> | digital/OU=server/CN=MYDOMAIN/emailAddress=root at MYDOMAIN
> |> OK, this is NOT a self signed certificate.
> |>
> | What tells you that?
> 
> In a self signed certificate issuer and subject name are identical.

Right. This makes sense now I know what to look for.

> 
> BTW:
> 
> If you have your server certificate directly signed by your
> root (CA) certificate and you do not want to use client authentication,
> you can configure cyrus imapd to not use any CA certificates at all:
> 
> The client needs to know the root certificate anyway to determine if
> it may trust it, so you gain nothing by transmitting it in SSL handshake...
> 
> 
> Goetz

Thanks very much for your replies. I'm gaining a better understanding of 
this. Now, back to the docs ...

b


More information about the Info-cyrus mailing list