Cyrus and SSL

redhatdude at bellsouth.net redhatdude at bellsouth.net
Sat Dec 9 10:24:29 UTC 2006


On Dec 9, 2006, at 3:13 AM, redhatdude at bellsouth.net wrote:

>
> On Dec 8, 2006, at 8:04 PM, Craig White wrote:
>
>> On Fri, 2006-12-08 at 12:56 -0500, redhatdude at bellsouth.net wrote:
>>> On Dec 8, 2006, at 12:42 PM, Craig White wrote:
>>>
>>>> On Fri, 2006-12-08 at 05:28 -0500, redhatdude at bellsouth.net wrote:
>>>>> This is the error I get when I try to connect to cyrus-imapd using
>>>>> ssl.
>>>>>
>>>>> Dec  8 05:22:43 master[15783]: about to exec /usr/lib/cyrus-imapd/
>>>>> imapd
>>>>> Dec  8 05:22:43 imaps[15768]: accepted connection
>>>>> Dec  8 05:22:43 imaps[15783]: executed
>>>>> Dec  8 05:22:43 imaps[15768]: unable to get certificate from '/ 
>>>>> etc/
>>>>> pki/cyrus-imapd/cyrus-imapd.pem'
>>>>> Dec  8 05:22:43 imaps[15768]: TLS server engine: cannot load  
>>>>> cert/key
>>>>> data
>>>>> Dec  8 05:22:43 imaps[15768]: error initializing TLS
>>>>> Dec  8 05:22:43 imaps[15768]: Fatal error: tls_init() failed
>>>>> Dec  8 05:22:43 imaps[15768]: DBERROR db4: Database handles  
>>>>> remain at
>>>>> environment close
>>>>> Dec  8 05:22:43 imaps[15768]: DBERROR db4: Open database handle: /
>>>>> var/
>>>>> lib/imap/tls_sessions.db
>>>>> Dec  8 05:22:43 imaps[15768]: DBERROR: error exiting application:
>>>>> Invalid argument
>>>>> Dec  8 05:22:43 master[15756]: process 15768 exited, status 75
>>>>> Dec  8 05:22:43 master[15756]: service imaps pid 15768 in BUSY  
>>>>> state:
>>>>> terminated abnormally
>>>>>
>>>>> If I don't use SSL it works fine. I even tried creating my own  
>>>>> certs
>>>>> and it's just the same.
>>>>> Please help.
>>>>> EJ
>>>> ----
>>>> TLS server engine: cannot load cert/key data is certainly a problem
>>>> but evidently there is also something very wrong with /var/lib/ 
>>>> imap/
>>>> tls_sessions.db
>>>>
>>>> you might want to delete that file and restart cyrus-imapd so it
>>>> gets recreated. I would presume that it like all other things  
>>>> cyrus-
>>>> imapd should be cyrus:mail ownership and in checking on my system,
>>>> that file is 600.
>>>>
>>>> you might want to check dmesg/syslog/audit.log to see if selinux is
>>>> involved in /var/lib/imap/tls_sessions.db issue too.
>>>>
>>>> Craig
>>>>>
>>>
>>> SeLinux is turned off. I deleted /var/lib/imap/tls_sessions.db and
>>> cyrus created a new one. I created the certs for cyrus, changed
>>> ownership to cyrus:mail and did chmod 600. I'm still having the same
>>> problem.
>> ----
>> hmmm...I don't think you can use cyrus without functioning  
>> berkeley db -
>> I have annotations.db deliver.db and mailboxes.db in addition to
>> tls_sessions.db so if you are similar (i.e. not using skiplist for  
>> those
>> functions), then the problem would have to be ssl/tls related and  
>> not db
>> related.
>>
>> Are you using fedora binary packages?
>> Did you rebuild cyrus-imapd from source/source-rpm?
>> Did you rebuild openssl from source/source-rpm?
>> Are you still getting the message 'cannot load cert/key data?
>>
>> Craig
>
>
> Sorry if I got impatient Craig, my emails take a long time  
> sometimes to show up on the list and I sent one after the other.
>
> I installed cyrus-imapd using yum, I did nothing to it. Same thing  
> with openssl, I have what got installed with FC6.
> I'm still getting the same messages.
> Cyrus-imapd works fine as long as I don't try to connect to it on  
> port 993 ( ssl ). So I don't think berkeleydb is the problem if  
> cyrus-imapd works fine authenticating my virtual users without  
> using SSL.
> Cyrus seems to just not wanting to take the certs.
> Thanks, I appreciate your help.
> EJ
>

Ok, I finally got it to work. Apparently the certificates and the  
keys that I created do not work with cyrus-imapd. I followed a few  
HOWTOs on the web to creating these files and none of them worked. So  
I finally used the one in /etc/pki/tls/certs/cyrus-imapd.pem and the  
ca-bundle.crt in the same folder. Now everything works as expected.  
My question now is, what is the proper way of creating these certs  
and key files that work with cyrus-imapd? The ones I created for  
postfix worked like a charm.
Thanks,
EJ




More information about the fedora-list mailing list