On Dec 9, 2006, at 3:13 AM, redhatdude@xxxxxxxxxxxxx wrote:
On Dec 8, 2006, at 8:04 PM, Craig White wrote:
On Fri, 2006-12-08 at 12:56 -0500, redhatdude@xxxxxxxxxxxxx wrote:
On Dec 8, 2006, at 12:42 PM, Craig White wrote:
On Fri, 2006-12-08 at 05:28 -0500, redhatdude@xxxxxxxxxxxxx wrote:
This is the error I get when I try to connect to cyrus-imapd using
ssl.
Dec 8 05:22:43 master[15783]: about to exec /usr/lib/cyrus-imapd/
imapd
Dec 8 05:22:43 imaps[15768]: accepted connection
Dec 8 05:22:43 imaps[15783]: executed
Dec 8 05:22:43 imaps[15768]: unable to get certificate from '/
etc/
pki/cyrus-imapd/cyrus-imapd.pem'
Dec 8 05:22:43 imaps[15768]: TLS server engine: cannot load
cert/key
data
Dec 8 05:22:43 imaps[15768]: error initializing TLS
Dec 8 05:22:43 imaps[15768]: Fatal error: tls_init() failed
Dec 8 05:22:43 imaps[15768]: DBERROR db4: Database handles
remain at
environment close
Dec 8 05:22:43 imaps[15768]: DBERROR db4: Open database handle: /
var/
lib/imap/tls_sessions.db
Dec 8 05:22:43 imaps[15768]: DBERROR: error exiting application:
Invalid argument
Dec 8 05:22:43 master[15756]: process 15768 exited, status 75
Dec 8 05:22:43 master[15756]: service imaps pid 15768 in BUSY
state:
terminated abnormally
If I don't use SSL it works fine. I even tried creating my own
certs
and it's just the same.
Please help.
EJ
----
TLS server engine: cannot load cert/key data is certainly a problem
but evidently there is also something very wrong with /var/lib/
imap/
tls_sessions.db
you might want to delete that file and restart cyrus-imapd so it
gets recreated. I would presume that it like all other things
cyrus-
imapd should be cyrus:mail ownership and in checking on my system,
that file is 600.
you might want to check dmesg/syslog/audit.log to see if selinux is
involved in /var/lib/imap/tls_sessions.db issue too.
Craig
SeLinux is turned off. I deleted /var/lib/imap/tls_sessions.db and
cyrus created a new one. I created the certs for cyrus, changed
ownership to cyrus:mail and did chmod 600. I'm still having the same
problem.
----
hmmm...I don't think you can use cyrus without functioning
berkeley db -
I have annotations.db deliver.db and mailboxes.db in addition to
tls_sessions.db so if you are similar (i.e. not using skiplist for
those
functions), then the problem would have to be ssl/tls related and
not db
related.
Are you using fedora binary packages?
Did you rebuild cyrus-imapd from source/source-rpm?
Did you rebuild openssl from source/source-rpm?
Are you still getting the message 'cannot load cert/key data?
Craig
Sorry if I got impatient Craig, my emails take a long time
sometimes to show up on the list and I sent one after the other.
I installed cyrus-imapd using yum, I did nothing to it. Same thing
with openssl, I have what got installed with FC6.
I'm still getting the same messages.
Cyrus-imapd works fine as long as I don't try to connect to it on
port 993 ( ssl ). So I don't think berkeleydb is the problem if
cyrus-imapd works fine authenticating my virtual users without
using SSL.
Cyrus seems to just not wanting to take the certs.
Thanks, I appreciate your help.
EJ
Ok, I finally got it to work. Apparently the certificates and the
keys that I created do not work with cyrus-imapd. I followed a few
HOWTOs on the web to creating these files and none of them worked. So
I finally used the one in /etc/pki/tls/certs/cyrus-imapd.pem and the
ca-bundle.crt in the same folder. Now everything works as expected.
My question now is, what is the proper way of creating these certs
and key files that work with cyrus-imapd? The ones I created for
postfix worked like a charm.
Thanks,
EJ
