kolab problem (imap TLS failed)

kemas k_henry at ramayana.co.id
Thu May 25 01:00:56 CEST 2006


hello Michael,
when I ran   openssl s_client -connect localhost:pop3s
it throws this

 [root at genderuwo kolab]# /kolab/bin/openssl s_client -connect
localhost:pop3s
CONNECTED(00000003)
depth=0 /CN=genderuwo.blah.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=genderuwo.blah.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=genderuwo.blah.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=genderuwo.blah.com
   i:/O=dedemit/OU=tuyul/CN=genderuwo.blah.com---
Server certificate
-----BEGIN CERTIFICATE-----
weewrwe
fkgldfgkd
lgfdlkg
dfsdfkllsf
-----END CERTIFICATE-----
subject=/CN=genderuwo.blah.com
issuer=/O=dedemit/OU=tuyul/CN=genderuwo.blah.com
---
No client certificate CA names sent
---
SSL handshake has read 829 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 787777
    Session-ID-ctx:
    Master-Key: asdfsfsdf
23499ASD
    Key-Arg   : None
    Start Time: 1148467421
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
+OK genderuwo.blah.com Cyrus POP3 v2.2.12 server ready <3537160656.114846742
================================================================
/kolab/etc/kolab/key.pem has gid kolab-r
but /kolab/etc/kolab/ca/cacert.pem is owned by root gid root

file owner and group owner in kolab is rather confusing for me

thanks
I
----- Original Message -----
From: "Michael Leupold" <leupold at leunet.de>
To: <kolab-users at kolab.org>
Sent: Tuesday, May 23, 2006 7:54 PM
Subject: Re: kolab problem (imap TLS failed)


> Am Mittwoch, 24. Mai 2006 01:09 schrieb kemas:
> > last month I installed kolab 2.0.3 in CentOS 4.0 for testing purposes,
and
> > it runs quite well.
> > now I'm trying to build mail server with kolab on CentOS 4.3 but I get
this
> > error in imap log:
> > May 22 18:23:31 webmail.ramayana.co.id <debug> pop3s[26129]: accepted
> > connection
> > May 22 18:23:31 webmail.ramayana.co.id <notice> pop3s[26129]: TLS server
> > engine: cannot load CA data
> > May 22 18:23:31 webmail.ramayana.co.id <error> pop3s[26129]: unable to
get
> > private key from '/kolab/etc/kolab/key.pem'
> > May 22 18:23:31 webmail.ramayana.co.id <error> pop3s[26129]: TLS server
> > engine: cannot load cert/key data
> > May 22 18:23:31 webmail.ramayana.co.id <error> pop3s[26129]: [pop3d]
error
> > initializing TLS
> > May 22 18:23:31 webmail.ramayana.co.id <error> pop3s[26129]: Fatal
error:
> > tls_init() failed
> > can anyone pointing out my mistakes?
>
> Does the connection work nonetheless? You can test it using:
> openssl s_client -connect localhost:pop3s
>
> It seems the problem is that your server can read neither its own
certificate
> nor the CA certificate. Is /kolab/etc/kolab/key.pem existant and readable
by
> cyrus? (I have read permission for group kolab-r).
> By the way, not being able to read the CA certificate should be the
general
> case if you are using self-signed certificates. In that case the ca cert
is
> in /kolab/etc/kolab/ca/cacert.pem and not readable by the imapd. You could
> add your own ca to imapd.conf using tls_ca_file but I don't know if
relaxing
> access restrictions on cacert.pem is detrimental to anything.
>
> Regards,
> Michael
>
> _______________________________________________
> Kolab-users mailing list
> Kolab-users at kolab.org
> https://kolab.org/mailman/listinfo/kolab-users
>




More information about the users mailing list