Problem with https and roundcube

Enrico Tagliavini enrico.tagliavini at gmail.com
Thu Oct 16 22:18:18 CEST 2014


Also always keep an eye on your cyrus logs. By default cyrus imap logs
are sent to /var/log/maillog and I'm pretty sure cyrus is complaining
when you start it about your config being invalid

You said your config file contains

tls_cert_file: /etc/pki/tls/certs/*.com.crt
tls_key_file: /etc/pki/tls/private/*.com.key
tls_ca_file: /etc/pki/tls/certs/*.com.ca-chain.pem

and I can guess the name of your certificate files doesn't contain a
start symbol (*). So unless you used it to blank your domain not to
show it in public your config should be fixed to something like:

tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.crt
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/cyrus-imapd/ca-bundle.crt

pointing to single specific files.

Moreover the tls_ca_file is not the CA chain, at least if I understood
the manual correctly. The chain should be appended to the file
specified in tls_cert_file, the same way you do in postfix. The
tls_ca_file is likely used to authenticate clients, but I'm not sure.

On 15 October 2014 00:01, Iman Nuraev <nuraev at gmail.com> wrote:
> Enrico and Mariusz, thank you!
>
> I've added rewrite rule and  <Directory> from roundcubemail.conf to
> nss.conf. Now roundcube login screen displayed correctly, but every attempt
> of login ends with message "login failed".
>
> /var/log/roundcubemail/userlogin contains only:
> [14-Oct-2014 21:40:28,000000 +0200]: <1iafbkbb> Failed login for
> test.test@***.com from *** in session 1iafbkbbrhbrahv0g3lulv6c25 (error: 0)
>
>
> /var/log/kolab/pykolab.log contains:
>
> 2014-10-14 23:40:34,222 pykolab.imap WARNING
> Could not connect to Cyrus IMAP server 'imaps://localhost:993'
>
> 2014-10-14 23:40:44,236 pykolab.imap WARNING
> Could not connect to Cyrus IMAP server 'imaps://localhost:993'
>
> 2014-10-14 23:40:54,250 pykolab.imap WARNING
> Could not connect to Cyrus IMAP server 'imaps://localhost:993'
>
>  Check of imap (like it recommended in
> https://docs.kolab.org/howtos/secure-kolab-server.html):
>
> # openssl s_client -showcerts -connect localhost:993
> CONNECTED(00000003)
> 140562498885448:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:766:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 263 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
>
> /etc/imapd.conf contains:
>
> tls_cert_file: /etc/pki/tls/certs/*.com.crt
> tls_key_file: /etc/pki/tls/private/*.com.key
> tls_ca_file: /etc/pki/tls/certs/*.com.ca-chain.pem
>
> Is there any solution?
>
>
>
>
> 2014-10-14 11:00 GMT+04:00 Mariusz Piasecki <mariusz.piasecki at extranet.pl>:
>>
>> You should look to rewrite rule. they're prepare for alias -
>> hostname/webmail.
>>
>> W dniu 2014-10-10 o 23:32, Iman Nuraev pisze:
>>
>> Hello!
>>
>> I have trouble same to
>> http://lists.kolab.org/pipermail/users/2014-September/017832.html ,  but
>> have only nss.conf, not ssl.conf. I'm new to apache. Can anybody explain
>> what can i do to handle this situation?
>> Thank you!
>>
>> Best regards,
>> Iman
>>
>>
>> _______________________________________________
>> users mailing list
>> users at lists.kolab.org
>> https://lists.kolab.org/mailman/listinfo/users
>>
>>
>>
>> --
>> Pozdrawiam
>> [name] Mariusz Piasecki
>> [job] System Administrator
>> [e-mail] mariusz.piasecki at extranet.pl
>> [office] +48 56 61-97-520
>> [fax] +48 56 56 61-97-518
>> [www] http://www.extranet.pl
>>
>>
>> ===============================
>> Jeżeli nie jest Pani/Pan adresatem tej wiadomości prosimy o poinformowanie
>> nadawcy o jej otrzymaniu oraz niezwłoczne usunięcie treści wiadomości.   Ta
>> wiadomość może zawierać informacje poufne.
>> Uprzejmie informujemy, iż kopiowanie, ujawnianie, dystrybuowanie,
>> udostępnianie lub inne wykorzystywanie wiadomości jest zabronione i może
>> rodzić konsekwencje prawne dla osoby naruszającej zakaz.
>>
>>
>> _______________________________________________
>> users mailing list
>> users at lists.kolab.org
>> https://lists.kolab.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users


More information about the users mailing list