Re: Dovecot dsync 'ssl_client_ca'

Aki Tuomi Fri, 03 Feb 2017 07:11:15 -0800

Please keep responses in list. rm -f/var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.


On 2017-02-03 17:00, Thierry wrote:

Hi,

I have removed the '<' :

ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem

But now:

doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat 
- disabling SSL 360
doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat 
- disabling SSL 360
doveadm: Error: Couldn't initialize SSL parameters, disabling SSL

Any idea ?

Thx

Yes. The ssl_client_ca_file is not actually expecting <, just file name.
Aki

On 2017-02-03 15:13, Thierry wrote:

Hi,

I have made change:

ssl_protocols = !SSLv2 !SSLv3
ssl = required
verbose_ssl = no
ssl_key = </etc/ssl/private/private.key
ssl_cert = </etc/ssl/certs/key.crt
ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem


# Create a listener for doveadm-server
service doveadm {
    user = vmail
    inet_listener {
      port = 12345
      ssl= yes
    }
}

and  doveadm_port = 12345    // mail_replica = tcps:server2.domain.ltd # use 
doveadm_port

And now:

Feb 03 14:11:16 doveadm(us...@domain.ltd): Error: sync: Couldn't initialize SSL 
context: Can't load CA certs from directory : error:02001024:system 
library:fopen:File name too long
Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: 
ssl-parameters.dat - disabling SSL 360
Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling 
SSL

Thx for your support




Le vendredi 3 février 2017 à 11:34:43, vous écriviez :

Hello,
On 02/03/2017 08:51 AM, Thierry wrote:

Hello,

Still working with my dsync pb.
I have done a clone (vmware) of my email server.
Today   I   have   two  strictly  identical  emails  servers (server1
(main) and server2 (bck) (except IP, hostname and  mail_replica).

The ssl config on my both server:

ssl_protocols = !SSLv2 !SSLv3
ssl = required
verbose_ssl = no
ssl_key = </etc/ssl/private/private.key
ssl_cert = </etc/ssl/certs/key.crt
ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem

I think it should be ssl_client_ca_file =
</etc/ssl/certs/GandiStandardSSLCA2.pem for you.

This  config  is  working   for  my   email  client  and my email web
interface ...

Are they on the right order ?

mail_replica = tcps:serv...@domain.ltd and tcps:serv...@domain.ltd

There is trafic on my iptables rules on my both  servers:

60  3600 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0      
      tcp dpt:4711



My  error message from server1 (main server):

Feb 03 08:38:08 doveadm(us...@domain.ltd): Error: sync: Couldn't initialize SSL 
context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* 
settings)
Feb 03 08:42:35 doveadm(us...@domain.ltd): Error: sync: Couldn't initialize SSL 
context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* 
settings)
Feb 03 08:42:35 doveadm(us...@domain.ltd): Error: sync: Couldn't initialize SSL 
context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* 
settings)
Feb 03 08:42:35 doveadm(us...@domain.ltd): Error: sync: Couldn't initialize SSL 
context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* 
settings)

No logs from server2

Any ideas ?

Thx for your support

Re: Dovecot dsync 'ssl_client_ca'

Reply via email to