Goetz Babin-Ebell wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > brian schrieb: > | brian wrote: > |> cyrus-imapd-2.3.9-7.fc7 > |> openssl-0.9.8b-15.fc7 > |> > |> I'm trying (and failing) to set up TLS and hope someone might be able to > |> shed some light on my problem. Authentication failed so I checked > |> maillog and found: > |> > |> imap[30288]: TLS server engine: cannot load CA data > This ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > |> imap[30288]: unable to get certificate from > |> '/etc/pki/tls/certs/imapcert.pem' > and this ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Is your first hint. Yes, it was the first thing I noticed too. However, the fact that that file was easily readable confused me as to what the problem actually was. I thought that perhaps the file, while readable, contained garbage. > |> The file imapcert.pem is the self-signed cert created while following > |> Patrick Koetter's SMTP AUTH tutorial[1] As it's easily readable (the > |> cert, though Patrick's tut has been terrificly helpful), I'm wondering > |> if I've made some blunder in creating it. > While you can use self signed certs for server authentication, > generally speaking it is not good to do. > It is better to create a CA certificate and sign your server certificate > with it. > > Arg. > I wish people would stop using self signed certificates in their > tutorials. > Creating a CA and using it to sign the certificates are > just two to three steps more and it gives people a hint how > to set up things correctly... Maybe I've got the terminology wrong then. By "self-signed" I mean that I did create my own CA, then created and signed a cert with that. # CA_nodes -newca # CA_nodes -newreq # CA_nodes -sign I'm not aware of any other kind of "self-signed" certificate. I thought it was either signed by Thawte, etc. or by one's own CA. > > | I've just noticed that i neglected to add the client part of the test. I > | repeated it and paste here: > | > | # openssl s_server -cert /etc/pki/tls/certs/imapcert.pem -key > | /etc/pki/tls/certs/imapkey.pem > | > | [from 2nd terminal] > | # sudo netstat -ntpl | grep :4433 > | tcp 0 0 :::4433 :::* LISTEN 7737/openssl > | > | # openssl s_client -connect localhost:4433 -CApath /etc/pki/CA -CAfile > | /etc/pki/CA/cacert.pem > While you can use self signed certificates for server authentication, > you can not use self signed certificates for client authentication. > (besides: you didn't tell the server to do client authentication...) > Additionally: > On your server you have a self signed cert and now you tell your > client to verify it against CA certificates given here ? > > | [abbreviated output follows] > | > | CONNECTED(00000003) > | depth=1 /C=CA/ST=Ontario/O=zijn > | digital/OU=server/CN=MYDOMAIN/emailAddress=root@MYDOMAIN > | verify return:1 > | depth=0 /C=CA/ST=Ontario/L=Stratford/O=zijn > | digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster@MYDOMAIN > | verify return:1 > | --- > | Certificate chain > | 0 s:/C=CA/ST=Ontario/L=Stratford/O=zijn > | digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster@MYDOMAIN > | i:/C=CA/ST=Ontario/O=zijn > | digital/OU=server/CN=MYDOMAIN/emailAddress=root@MYDOMAIN > OK, this is NOT a self signed certificate. > What tells you that? > | --- > | Server certificate > | -----BEGIN CERTIFICATE----- > | ... > | -----END CERTIFICATE----- > | subject=/C=CA/ST=Ontario/L=Stratford/O=zijn > | digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster@MYDOMAIN > | issuer=/C=CA/ST=Ontario/O=zijn > | digital/OU=server/CN=MYDOMAIN/emailAddress=root@MYDOMAIN > | --- > | No client certificate CA names sent > ~ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > You want to do client authentication, but you didn't tell > your server which CAs you accept for signing them ? > > It is obvious that you don't know what you are doing. Sure, that's why I've emailed this list looking for help. While I seem to have fixed the problem (see below) there are aspects of this that are more than a little bit hazy. I'd like to understand this a lot better. > If you would tell us what you want to do, > we might be able to tell you what you should do. > OK, I'll start again from the beginning: I wish to incorporate TLS support into Postfix/Cyrus-IMAP. I don't feel that a signed cert from Thawte, etc. is necessary, as I'm not expecting to have any strangers with accounts on this machine. Thus, I followed Patrick's tutorial in which he explains how to create one's own CA and use that to sign a certificate. I was under the impression that *that* was a self-signed certificate. The only thing I wanted to do with s_server was see if it would complain about imapcert.pem being unusable because the msg in maillog led me to believe that that was the problem. This seems to have been resolved by copying cacert.pem to a directory readable by the mail group. Apparently, imapcert.pem is, in fact, ok. b ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
