On Sat, 2006-12-09 at 05:24 -0500, redhatdude@xxxxxxxxxxxxx wrote: > On Dec 9, 2006, at 3:13 AM, redhatdude@xxxxxxxxxxxxx wrote: > > > > > On Dec 8, 2006, at 8:04 PM, Craig White wrote: > > > >> On Fri, 2006-12-08 at 12:56 -0500, redhatdude@xxxxxxxxxxxxx wrote: > >>> On Dec 8, 2006, at 12:42 PM, Craig White wrote: > >>> > >>>> On Fri, 2006-12-08 at 05:28 -0500, redhatdude@xxxxxxxxxxxxx wrote: > >>>>> This is the error I get when I try to connect to cyrus-imapd using > >>>>> ssl. > >>>>> > >>>>> Dec 8 05:22:43 master[15783]: about to exec /usr/lib/cyrus-imapd/ > >>>>> imapd > >>>>> Dec 8 05:22:43 imaps[15768]: accepted connection > >>>>> Dec 8 05:22:43 imaps[15783]: executed > >>>>> Dec 8 05:22:43 imaps[15768]: unable to get certificate from '/ > >>>>> etc/ > >>>>> pki/cyrus-imapd/cyrus-imapd.pem' > >>>>> Dec 8 05:22:43 imaps[15768]: TLS server engine: cannot load > >>>>> cert/key > >>>>> data > >>>>> Dec 8 05:22:43 imaps[15768]: error initializing TLS > >>>>> Dec 8 05:22:43 imaps[15768]: Fatal error: tls_init() failed > >>>>> Dec 8 05:22:43 imaps[15768]: DBERROR db4: Database handles > >>>>> remain at > >>>>> environment close > >>>>> Dec 8 05:22:43 imaps[15768]: DBERROR db4: Open database handle: / > >>>>> var/ > >>>>> lib/imap/tls_sessions.db > >>>>> Dec 8 05:22:43 imaps[15768]: DBERROR: error exiting application: > >>>>> Invalid argument > >>>>> Dec 8 05:22:43 master[15756]: process 15768 exited, status 75 > >>>>> Dec 8 05:22:43 master[15756]: service imaps pid 15768 in BUSY > >>>>> state: > >>>>> terminated abnormally > >>>>> > >>>>> If I don't use SSL it works fine. I even tried creating my own > >>>>> certs > >>>>> and it's just the same. > >>>>> Please help. > >>>>> EJ > >>>> ---- > >>>> TLS server engine: cannot load cert/key data is certainly a problem > >>>> but evidently there is also something very wrong with /var/lib/ > >>>> imap/ > >>>> tls_sessions.db > >>>> > >>>> you might want to delete that file and restart cyrus-imapd so it > >>>> gets recreated. I would presume that it like all other things > >>>> cyrus- > >>>> imapd should be cyrus:mail ownership and in checking on my system, > >>>> that file is 600. > >>>> > >>>> you might want to check dmesg/syslog/audit.log to see if selinux is > >>>> involved in /var/lib/imap/tls_sessions.db issue too. > >>>> > >>>> Craig > >>>>> > >>> > >>> SeLinux is turned off. I deleted /var/lib/imap/tls_sessions.db and > >>> cyrus created a new one. I created the certs for cyrus, changed > >>> ownership to cyrus:mail and did chmod 600. I'm still having the same > >>> problem. > >> ---- > >> hmmm...I don't think you can use cyrus without functioning > >> berkeley db - > >> I have annotations.db deliver.db and mailboxes.db in addition to > >> tls_sessions.db so if you are similar (i.e. not using skiplist for > >> those > >> functions), then the problem would have to be ssl/tls related and > >> not db > >> related. > >> > >> Are you using fedora binary packages? > >> Did you rebuild cyrus-imapd from source/source-rpm? > >> Did you rebuild openssl from source/source-rpm? > >> Are you still getting the message 'cannot load cert/key data? > >> > >> Craig > > > > > > Sorry if I got impatient Craig, my emails take a long time > > sometimes to show up on the list and I sent one after the other. > > > > I installed cyrus-imapd using yum, I did nothing to it. Same thing > > with openssl, I have what got installed with FC6. > > I'm still getting the same messages. > > Cyrus-imapd works fine as long as I don't try to connect to it on > > port 993 ( ssl ). So I don't think berkeleydb is the problem if > > cyrus-imapd works fine authenticating my virtual users without > > using SSL. > > Cyrus seems to just not wanting to take the certs. > > Thanks, I appreciate your help. > > EJ > > > > Ok, I finally got it to work. Apparently the certificates and the > keys that I created do not work with cyrus-imapd. I followed a few > HOWTOs on the web to creating these files and none of them worked. So > I finally used the one in /etc/pki/tls/certs/cyrus-imapd.pem and the > ca-bundle.crt in the same folder. Now everything works as expected. > My question now is, what is the proper way of creating these certs > and key files that work with cyrus-imapd? The ones I created for > postfix worked like a charm. ---- something like this should work openssl req -config /usr/share/ssl/openssl.cnf \ -new -x509 -nodes -out /etc/ssl/cyrus-global.pem \ -keyout /etc/ssl/cyrus-global.pem -days 3650 openssl gendh 512 >> /etc/ssl/cyrus-global.pem Craig
