Turns out this was an openldap config issue .. connecting to ldap via self signed cert and had
/etc/openldap/ldap.conf as TLS_CACERT /etc/dovecot/ldap_ca TLS_REQCERT allow TLS_CACERTDIR /etc/openldap/certs SASL_NOCANON on Seems what ever gets generated in TLS_CACERTDIR is problem .. commentng that out seems to have resolved issue .. > Matt Bryant <mailto:m...@the-bryants.net> > 13 September 2018 at 12:52 pm > Not sure if this is dovecot or not but can find very little ie no info > around on this ... and added the pem file into > /etc/pki/ca-trust/source/anchors and run udpate-ca-trust .. all works ok > .. (this is on centos 7 btw) > > So wanted to change the hostname away from ip-x-x-x-x to something a > little bit more descriptive .. but then kaboom .. doesnt work any more > and the following errors are seen. > > Have created and internal CA for domain and added it to > Sep 13 10:42:04 ip-10-0-40-230 dovecot: master: Dovecot v2.2.33.2 > (d6601f4ec) starting up for imap, pop3, lmtp, sieve (core dumps disabled) > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: > 'attr->pValue != NULL' not true at attrs_build > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: > 'lexer->tok.field.name && lexer->tok.field.value' not true at > p11_lexer_next > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'attrs != > NULL' not true at attrs_build > Sep 13 10:42:04 ip-10-0-40-230 dovecot: message repeated 16 times: [ > auth: Error: p11-kit: 'attrs != NULL' not true at attrs_build] > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: > 'new_memory != NULL' not true at maybe_expand_array > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't > be reached at p11_array_push > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't > be reached at sink_object > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: 'attrs != > NULL' not true at attrs_build > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: > 'new_memory != NULL' not true at maybe_expand_array > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't > be reached at p11_array_push > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't > be reached at sink_object > ... > ... > > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: > 'new_memory != NULL' not true at maybe_expand_array > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't > be reached at p11_array_push > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't > be reached at sink_object > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: > 'attr->pValue != NULL' not true at attrs_build > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: > 'new_memory != NULL' not true at maybe_expand_array > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't > be reached at p11_array_push > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: shouldn't > be reached at sink_object > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: no > CKA_CLASS attribute found > Sep 13 10:42:04 ip-10-0-40-230 dovecot: auth: Error: p11-kit: couldn't > load file into objects: > /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit > Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Error: p11-kit: > 'attrs != NULL' not true at attrs_build > Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Fatal: master: > service(auth-worker): child 14389 killed with signal 11 (core dumps > disabled) > Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Error: p11-kit: > 'attrs != NULL' not true at attrs_build > Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Fatal: master: > service(auth-worker): child 14391 killed with signal 11 (core dumps > disabled) > Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Error: p11-kit: > 'attrs != NULL' not true at attrs_build > Sep 13 10:42:05 ip-10-0-40-230 dovecot: auth-worker: Fatal: master: > service(auth-worker): child 14393 killed with signal 11 (core dumps > disabled) > > why would a hostname change make any difference here .. the certs > specified in dovecot config are all complete in their chain so not sure > what its trying to do ... set hostname back to original works find .. so > something is obviously tied or keyed to hostname though cant find > anything specific > > anyone seen anything like this at all ?? > > rgds > > Matt
