TLS server engine: cannot load CA data
Brandon Gould
bgould at crewcorpinc.com
Wed Jul 10 20:58:21 EDT 2013
Hello all,
I'm encountering some peculiar behaviour with my present configuration.
Sometimes, I'll get "TLS server engine: cannot load CA data," a
certificate warning on the client (Certificate validation failed for
unknown reasons?).
Other times, it will succeed non problemo. No warning on the client,
nothing.
The server is set up to force encryption... if the client isn't capable,
it will refuse.
Here's a log output when it fails:
Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: executed
Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: accepted connection
Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: TLS server engine:
cannot load CA data
Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: imapd:Loading
hard-coded DH parameters
Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: SSL_accept() incomplete
-> wait
Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: SSL_accept() succeeded
-> done
Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: starttls: TLSv1 with
cipher AES128-SHA (128/128 bits reused) no authentication
Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[32711]: fetching user_deny.db
entry for '[REDACTED]'
Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[32711]: login: [REDACTED]
plaintext+TLS User logged in SESSIONID=<cyrus-32711-1373503297-1>
Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[32711]: fetching user_deny.db
entry for '[REDACTED]'
Jul 11 00:41:38 cyrus/imap[32711]: last message repeated 2 times
Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[31285]: fetching user_deny.db
entry for '[REDACTED]'
Jul 11 00:41:38 ip-10-0-0-201 cyrus/master[32712]: about to exec
/usr/lib/cyrus/bin/imapd
Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[32712]: executed
Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[32712]: accepted connection
Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[31285]: fetching user_deny.db
entry for '[REDACTED]'
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: TLS server engine:
cannot load CA data
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: imapd:Loading
hard-coded DH parameters
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: SSL_accept() incomplete
-> wait
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: SSL_accept() succeeded
-> done
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: starttls: TLSv1 with
cipher AES128-SHA (128/128 bits reused) no authentication
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: fetching user_deny.db
entry for '[REDACTED]'
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: login: [REDACTED]
plaintext+TLS User logged in SESSIONID=<cyrus-32712-1373503298-1>
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: fetching user_deny.db
entry for '[REDACTED]'
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: fetching user_deny.db
entry for '[REDACTED]'
Jul 11 00:41:40 ip-10-0-0-201 cyrus/imap[32712]: open: user bgould
opened INBOX.Apache Directory Server
Jul 11 00:41:40 ip-10-0-0-201 cyrus/imap[32712]: fetching user_deny.db
entry for '[REDACTED]'
Annd configuration
tls_ca_file: /var/www/crets/gd_bundle.crt
tls_ca_path: /etc/ssl/certs
imap_tls_key_file: /var/www/certs/[REDACTED 1].key
tls_cert_file: /var/www/certs/[REDACTED 2].crt
tls_key_file: /var/www/certs/[REDACTED 1].key
imap_tls_key_file: /var/www/certs/[REDACTED 2].key
There are seperate files for the cert and key as well as my CA
(GoDaddy... can't go wrong since they have a sale!)
(The above /var/www directories are not actually accessible to the web
server. I just happened to store my web certs in there as well, so why
not use the same directory for mail certs?)
The certificate has the domain as well as the FQDN of the server specified.
It's interesting to add that even when I get this error, the connection
will still succeed encrypted.
A google search of this issue indicates that it is more or less not
commonly encountered.
More information about the Info-cyrus
mailing list