TLS server engine: cannot load CA data

Brandon Gould bgould at crewcorpinc.com
Wed Jul 10 20:58:21 EDT 2013


Hello all,

I'm encountering some peculiar behaviour with my present configuration.

Sometimes, I'll get "TLS server engine: cannot load CA data," a 
certificate warning on the client (Certificate validation failed for 
unknown reasons?).

Other times, it will succeed non problemo. No warning on the client, 
nothing.

The server is set up to force encryption... if the client isn't capable, 
it will refuse.

Here's a log output when it fails:

Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: executed
Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: accepted connection
Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: TLS server engine: 
cannot load CA data
Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: imapd:Loading 
hard-coded DH parameters
Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: SSL_accept() incomplete 
-> wait
Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: SSL_accept() succeeded 
-> done
Jul 11 00:41:37 ip-10-0-0-201 cyrus/imap[32711]: starttls: TLSv1 with 
cipher AES128-SHA (128/128 bits reused) no authentication
Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[32711]: fetching user_deny.db 
entry for '[REDACTED]'
Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[32711]: login: [REDACTED] 
plaintext+TLS User logged in SESSIONID=<cyrus-32711-1373503297-1>
Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[32711]: fetching user_deny.db 
entry for '[REDACTED]'
Jul 11 00:41:38  cyrus/imap[32711]: last message repeated 2 times
Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[31285]: fetching user_deny.db 
entry for '[REDACTED]'
Jul 11 00:41:38 ip-10-0-0-201 cyrus/master[32712]: about to exec 
/usr/lib/cyrus/bin/imapd
Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[32712]: executed
Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[32712]: accepted connection
Jul 11 00:41:38 ip-10-0-0-201 cyrus/imap[31285]: fetching user_deny.db 
entry for '[REDACTED]'
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: TLS server engine: 
cannot load CA data
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: imapd:Loading 
hard-coded DH parameters
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: SSL_accept() incomplete 
-> wait
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: SSL_accept() succeeded 
-> done
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: starttls: TLSv1 with 
cipher AES128-SHA (128/128 bits reused) no authentication
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: fetching user_deny.db 
entry for '[REDACTED]'
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: login: [REDACTED] 
plaintext+TLS User logged in SESSIONID=<cyrus-32712-1373503298-1>
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: fetching user_deny.db 
entry for '[REDACTED]'
Jul 11 00:41:39 ip-10-0-0-201 cyrus/imap[32712]: fetching user_deny.db 
entry for '[REDACTED]'
Jul 11 00:41:40 ip-10-0-0-201 cyrus/imap[32712]: open: user bgould 
opened INBOX.Apache Directory Server
Jul 11 00:41:40 ip-10-0-0-201 cyrus/imap[32712]: fetching user_deny.db 
entry for '[REDACTED]'

Annd configuration

tls_ca_file: /var/www/crets/gd_bundle.crt
tls_ca_path: /etc/ssl/certs
imap_tls_key_file: /var/www/certs/[REDACTED 1].key
tls_cert_file: /var/www/certs/[REDACTED 2].crt
tls_key_file: /var/www/certs/[REDACTED 1].key
imap_tls_key_file: /var/www/certs/[REDACTED 2].key

There are seperate files for the cert and key as well as my CA 
(GoDaddy... can't go wrong since they have a sale!)

(The above /var/www directories are not actually accessible to the web 
server. I just happened to store my web certs in there as well, so why 
not use the same directory for mail certs?)

The certificate has the domain as well as the FQDN of the server specified.

It's interesting to add that even when I get this error, the connection 
will still succeed encrypted.

A google search of this issue indicates that it is more or less not 
commonly encountered.



More information about the Info-cyrus mailing list