Re: TLS: unable to get certificate ...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



brian wrote:
> cyrus-imapd-2.3.9-7.fc7
> openssl-0.9.8b-15.fc7
> 
> I'm trying (and failing) to set up TLS and hope someone might be able to 
> shed some light on my problem. Authentication failed so I checked 
> maillog and found:
> 
> imap[30288]: TLS server engine: cannot load CA data
> imap[30288]: unable to get certificate from 
> '/etc/pki/tls/certs/imapcert.pem'
> imap[30288]: TLS server engine: cannot load cert/key data
> imap[30288]: error initializing TLS
> 
> 
> # ls -l /etc/pki/tls/certs/
> total 456
> -rw-r--r-- 1 root root   2240 Oct 12 10:55 Makefile
> -rw-r--r-- 1 root root 441017 Jun 21  2006 ca-bundle.crt
> -rw-r--r-- 1 root root   3250 Apr 10 23:46 imapcert.pem
> -rw-r--r-- 1 root root    887 Apr 10 23:40 imapkey.pem
> -rw-r--r-- 1 root root    712 Apr 10 23:40 imapreq.pem
> -rwxr-xr-x 1 root root    610 Oct 12 10:55 make-dummy-cert
> 
> The file imapcert.pem is the self-signed cert created while following 
> Patrick Koetter's SMTP AUTH tutorial[1] As it's easily readable (the 
> cert, though Patrick's tut has been terrificly helpful), I'm wondering 
> if I've made some blunder in creating it.
> 
> # openssl s_server \
> 	-cert /etc/pki/tls/certs/imapcert.pem \
> 	-key /etc/pki/tls/certs/imapkey.pem
> Using default temp DH parameters
> ACCEPT
> 
> After this, issuing 'Q' does not quit for some reason. But it appears to 
> me that the cert is good, though I can't claim to be a wizard with the 
> openssl tools (else I wouldn't be requesting help ;-)
> 
> Any ideas of what else I should be looking for?
> 
> Also, further on in maillog, I see:
> imap[30288]: DBERROR db4: Database handles still open at environment close
> imap[30288]: DBERROR db4: Open database handle: 
> /var/lib/imap/tls_sessions.db
> imap[30288]: DBERROR: error exiting application: Invalid argument
> 
> Is this something I should be concerned about? I have log_level = 3, FWIW.
> 
> 
> [1] http://postfix.state-of-mind.de/patrick.koetter/smtpauth/
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

I've just noticed that i neglected to add the client part of the test. I 
repeated it and paste here:

# openssl s_server -cert /etc/pki/tls/certs/imapcert.pem -key 
/etc/pki/tls/certs/imapkey.pem

[from 2nd terminal]
# sudo netstat -ntpl | grep :4433
tcp  0  0  :::4433  :::*  LISTEN  7737/openssl

# openssl s_client -connect localhost:4433 -CApath /etc/pki/CA -CAfile 
/etc/pki/CA/cacert.pem
[abbreviated output follows]

CONNECTED(00000003)
depth=1 /C=CA/ST=Ontario/O=zijn 
digital/OU=server/CN=MYDOMAIN/emailAddress=root@MYDOMAIN
verify return:1
depth=0 /C=CA/ST=Ontario/L=Stratford/O=zijn 
digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster@MYDOMAIN
verify return:1
---
Certificate chain
  0 s:/C=CA/ST=Ontario/L=Stratford/O=zijn 
digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster@MYDOMAIN
    i:/C=CA/ST=Ontario/O=zijn 
digital/OU=server/CN=MYDOMAIN/emailAddress=root@MYDOMAIN
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=CA/ST=Ontario/L=Stratford/O=zijn 
digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster@MYDOMAIN
issuer=/C=CA/ST=Ontario/O=zijn 
digital/OU=server/CN=MYDOMAIN/emailAddress=root@MYDOMAIN
---
No client certificate CA names sent
---
SSL handshake has read 1203 bytes and written 267 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID: ...
     Session-ID-ctx:
     Master-Key: ...
     Key-Arg   : None
     Krb5 Principal: None
     Start Time: 1207936431
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)
---
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux