Cyrus and SSL

Craig White craigwhite at azapple.com
Sat Dec 9 15:52:44 UTC 2006 

On Sat, 2006-12-09 at 05:24 -0500, redhatdude at bellsouth.net wrote:
> On Dec 9, 2006, at 3:13 AM, redhatdude at bellsouth.net wrote:
> 
> >
> > On Dec 8, 2006, at 8:04 PM, Craig White wrote:
> >
> >> On Fri, 2006-12-08 at 12:56 -0500, redhatdude at bellsouth.net wrote:
> >>> On Dec 8, 2006, at 12:42 PM, Craig White wrote:
> >>>
> >>>> On Fri, 2006-12-08 at 05:28 -0500, redhatdude at bellsouth.net wrote:
> >>>>> This is the error I get when I try to connect to cyrus-imapd using
> >>>>> ssl.
> >>>>>
> >>>>> Dec  8 05:22:43 master[15783]: about to exec /usr/lib/cyrus-imapd/
> >>>>> imapd
> >>>>> Dec  8 05:22:43 imaps[15768]: accepted connection
> >>>>> Dec  8 05:22:43 imaps[15783]: executed
> >>>>> Dec  8 05:22:43 imaps[15768]: unable to get certificate from '/ 
> >>>>> etc/
> >>>>> pki/cyrus-imapd/cyrus-imapd.pem'
> >>>>> Dec  8 05:22:43 imaps[15768]: TLS server engine: cannot load  
> >>>>> cert/key
> >>>>> data
> >>>>> Dec  8 05:22:43 imaps[15768]: error initializing TLS
> >>>>> Dec  8 05:22:43 imaps[15768]: Fatal error: tls_init() failed
> >>>>> Dec  8 05:22:43 imaps[15768]: DBERROR db4: Database handles  
> >>>>> remain at
> >>>>> environment close
> >>>>> Dec  8 05:22:43 imaps[15768]: DBERROR db4: Open database handle: /
> >>>>> var/
> >>>>> lib/imap/tls_sessions.db
> >>>>> Dec  8 05:22:43 imaps[15768]: DBERROR: error exiting application:
> >>>>> Invalid argument
> >>>>> Dec  8 05:22:43 master[15756]: process 15768 exited, status 75
> >>>>> Dec  8 05:22:43 master[15756]: service imaps pid 15768 in BUSY  
> >>>>> state:
> >>>>> terminated abnormally
> >>>>>
> >>>>> If I don't use SSL it works fine. I even tried creating my own  
> >>>>> certs
> >>>>> and it's just the same.
> >>>>> Please help.
> >>>>> EJ
> >>>> ----
> >>>> TLS server engine: cannot load cert/key data is certainly a problem
> >>>> but evidently there is also something very wrong with /var/lib/ 
> >>>> imap/
> >>>> tls_sessions.db
> >>>>
> >>>> you might want to delete that file and restart cyrus-imapd so it
> >>>> gets recreated. I would presume that it like all other things  
> >>>> cyrus-
> >>>> imapd should be cyrus:mail ownership and in checking on my system,
> >>>> that file is 600.
> >>>>
> >>>> you might want to check dmesg/syslog/audit.log to see if selinux is
> >>>> involved in /var/lib/imap/tls_sessions.db issue too.
> >>>>
> >>>> Craig
> >>>>>
> >>>
> >>> SeLinux is turned off. I deleted /var/lib/imap/tls_sessions.db and
> >>> cyrus created a new one. I created the certs for cyrus, changed
> >>> ownership to cyrus:mail and did chmod 600. I'm still having the same
> >>> problem.
> >> ----
> >> hmmm...I don't think you can use cyrus without functioning  
> >> berkeley db -
> >> I have annotations.db deliver.db and mailboxes.db in addition to
> >> tls_sessions.db so if you are similar (i.e. not using skiplist for  
> >> those
> >> functions), then the problem would have to be ssl/tls related and  
> >> not db
> >> related.
> >>
> >> Are you using fedora binary packages?
> >> Did you rebuild cyrus-imapd from source/source-rpm?
> >> Did you rebuild openssl from source/source-rpm?
> >> Are you still getting the message 'cannot load cert/key data?
> >>
> >> Craig
> >
> >
> > Sorry if I got impatient Craig, my emails take a long time  
> > sometimes to show up on the list and I sent one after the other.
> >
> > I installed cyrus-imapd using yum, I did nothing to it. Same thing  
> > with openssl, I have what got installed with FC6.
> > I'm still getting the same messages.
> > Cyrus-imapd works fine as long as I don't try to connect to it on  
> > port 993 ( ssl ). So I don't think berkeleydb is the problem if  
> > cyrus-imapd works fine authenticating my virtual users without  
> > using SSL.
> > Cyrus seems to just not wanting to take the certs.
> > Thanks, I appreciate your help.
> > EJ
> >
> 
> Ok, I finally got it to work. Apparently the certificates and the  
> keys that I created do not work with cyrus-imapd. I followed a few  
> HOWTOs on the web to creating these files and none of them worked. So  
> I finally used the one in /etc/pki/tls/certs/cyrus-imapd.pem and the  
> ca-bundle.crt in the same folder. Now everything works as expected.  
> My question now is, what is the proper way of creating these certs  
> and key files that work with cyrus-imapd? The ones I created for  
> postfix worked like a charm.
----
something like this should work

openssl req -config /usr/share/ssl/openssl.cnf \
-new -x509 -nodes -out /etc/ssl/cyrus-global.pem \
-keyout /etc/ssl/cyrus-global.pem -days 3650
openssl gendh 512 >> /etc/ssl/cyrus-global.pem

Craig

More information about the fedora-list mailing list