Re: Cyrus and SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Dec 9, 2006, at 3:13 AM, redhatdude@xxxxxxxxxxxxx wrote:


On Dec 8, 2006, at 8:04 PM, Craig White wrote:

On Fri, 2006-12-08 at 12:56 -0500, redhatdude@xxxxxxxxxxxxx wrote:
On Dec 8, 2006, at 12:42 PM, Craig White wrote:

On Fri, 2006-12-08 at 05:28 -0500, redhatdude@xxxxxxxxxxxxx wrote:
This is the error I get when I try to connect to cyrus-imapd using
ssl.

Dec  8 05:22:43 master[15783]: about to exec /usr/lib/cyrus-imapd/
imapd
Dec  8 05:22:43 imaps[15768]: accepted connection
Dec  8 05:22:43 imaps[15783]: executed
Dec 8 05:22:43 imaps[15768]: unable to get certificate from '/ etc/
pki/cyrus-imapd/cyrus-imapd.pem'
Dec 8 05:22:43 imaps[15768]: TLS server engine: cannot load cert/key
data
Dec  8 05:22:43 imaps[15768]: error initializing TLS
Dec  8 05:22:43 imaps[15768]: Fatal error: tls_init() failed
Dec 8 05:22:43 imaps[15768]: DBERROR db4: Database handles remain at
environment close
Dec  8 05:22:43 imaps[15768]: DBERROR db4: Open database handle: /
var/
lib/imap/tls_sessions.db
Dec  8 05:22:43 imaps[15768]: DBERROR: error exiting application:
Invalid argument
Dec  8 05:22:43 master[15756]: process 15768 exited, status 75
Dec 8 05:22:43 master[15756]: service imaps pid 15768 in BUSY state:
terminated abnormally

If I don't use SSL it works fine. I even tried creating my own certs
and it's just the same.
Please help.
EJ
----
TLS server engine: cannot load cert/key data is certainly a problem
but evidently there is also something very wrong with /var/lib/ imap/
tls_sessions.db

you might want to delete that file and restart cyrus-imapd so it
gets recreated. I would presume that it like all other things cyrus-
imapd should be cyrus:mail ownership and in checking on my system,
that file is 600.

you might want to check dmesg/syslog/audit.log to see if selinux is
involved in /var/lib/imap/tls_sessions.db issue too.

Craig


SeLinux is turned off. I deleted /var/lib/imap/tls_sessions.db and
cyrus created a new one. I created the certs for cyrus, changed
ownership to cyrus:mail and did chmod 600. I'm still having the same
problem.
----
hmmm...I don't think you can use cyrus without functioning berkeley db -
I have annotations.db deliver.db and mailboxes.db in addition to
tls_sessions.db so if you are similar (i.e. not using skiplist for those functions), then the problem would have to be ssl/tls related and not db
related.

Are you using fedora binary packages?
Did you rebuild cyrus-imapd from source/source-rpm?
Did you rebuild openssl from source/source-rpm?
Are you still getting the message 'cannot load cert/key data?

Craig


Sorry if I got impatient Craig, my emails take a long time sometimes to show up on the list and I sent one after the other.

I installed cyrus-imapd using yum, I did nothing to it. Same thing with openssl, I have what got installed with FC6.
I'm still getting the same messages.
Cyrus-imapd works fine as long as I don't try to connect to it on port 993 ( ssl ). So I don't think berkeleydb is the problem if cyrus-imapd works fine authenticating my virtual users without using SSL.
Cyrus seems to just not wanting to take the certs.
Thanks, I appreciate your help.
EJ


Ok, I finally got it to work. Apparently the certificates and the keys that I created do not work with cyrus-imapd. I followed a few HOWTOs on the web to creating these files and none of them worked. So I finally used the one in /etc/pki/tls/certs/cyrus-imapd.pem and the ca-bundle.crt in the same folder. Now everything works as expected. My question now is, what is the proper way of creating these certs and key files that work with cyrus-imapd? The ones I created for postfix worked like a charm.
Thanks,
EJ


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux