Hi Aki, I do not have any error message but (on both server): doveadm replicator status '*' doveadm(root): Fatal: net_connect_unix(/var/run/dovecot/replicator-doveadm) failed: Connection refused Thx Le vendredi 3 f?vrier 2017 ? 17:09:52, vous ?criviez :> Please keep responses in list. rm -f > /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.> On 2017-02-03 17:00, Thierry wrote: >> Hi, >> >> I have removed the '<' : >> >> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem >> >> But now: >> >> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >> >> Any idea ? >> >> Thx >> >>> Yes. The ssl_client_ca_file is not actually expecting <, just file name. >>> Aki >> >>> On 2017-02-03 15:13, Thierry wrote: >>>> Hi, >>>> >>>> I have made change: >>>> >>>> ssl_protocols = !SSLv2 !SSLv3 >>>> ssl = required >>>> verbose_ssl = no >>>> ssl_key = </etc/ssl/private/private.key >>>> ssl_cert = </etc/ssl/certs/key.crt >>>> ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem >>>> >>>> >>>> # Create a listener for doveadm-server >>>> service doveadm { >>>> user = vmail >>>> inet_listener { >>>> port = 12345 >>>> ssl= yes >>>> } >>>> } >>>> >>>> and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use doveadm_port >>>> >>>> And now: >>>> >>>> Feb 03 14:11:16 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long >>>> Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >>>> Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >>>> >>>> Thx for your support >>>> >>>> >>>> >>>> >>>> Le vendredi 3 f?vrier 2017 ? 11:34:43, vous ?criviez : >>>> >>>>> Hello, >>>>> On 02/03/2017 08:51 AM, Thierry wrote: >>>>>> Hello, >>>>>> >>>>>> Still working with my dsync pb. >>>>>> I have done a clone (vmware) of my email server. >>>>>> Today I have two strictly identical emails servers (server1 >>>>>> (main) and server2 (bck) (except IP, hostname and mail_replica). >>>>>> >>>>>> The ssl config on my both server: >>>>>> >>>>>> ssl_protocols = !SSLv2 !SSLv3 >>>>>> ssl = required >>>>>> verbose_ssl = no >>>>>> ssl_key = </etc/ssl/private/private.key >>>>>> ssl_cert = </etc/ssl/certs/key.crt >>>>>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem >>>>> I think it should be ssl_client_ca_file >>>>> </etc/ssl/certs/GandiStandardSSLCA2.pem for you. >>>>>> This config is working for my email client and my email web >>>>>> interface ... >>>>>> >>>>>> Are they on the right order ? >>>>>> >>>>>> mail_replica = tcps:server1 at domain.ltd and tcps:server2 at domain.ltd >>>>>> >>>>>> There is trafic on my iptables rules on my both servers: >>>>>> >>>>>> 60 3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711 >>>>>> >>>>>> >>>>>> >>>>>> My error message from server1 (main server): >>>>>> >>>>>> Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>> Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>> Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>> Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>> >>>>>> No logs from server2 >>>>>> >>>>>> Any ideas ? >>>>>> >>>>>> Thx for your support >>>>>> >>>>>> >>>>-- Cordialement, Thierry e-mail : lenaigst at maelenn.org
Dear Thierry, - Have you checked that port 12345 as specified below is open/forwarded and actually /used/ by dovecot (e.g., use "netstat -tulpn|grep dovecot")? - Did you retrace your steps and have you verified that synchronisation works with ssl disabled? - Did you verify your certificate files (e.g., "openssl verify -verbose -CAfile /etc/ssl/certs/GandiCA2.pem /etc/ssl/certs/key.crt")? Personally, I prefer to use a single, specialised tool to manage certificates/encryption (which in my case is stunnel); all other programs are set up using (link-)local ip addresses only. If everything but encryption works with your setup, this might be a possible "workaround". (Apart from that, stunnel debug mode is very detailed and can help you to rule out problems with the certificates/connections between two nodes.) And once the latter works but the dovecot setup below still does not, it would also point to a problem with certificate handling by dovecot (could be library related). KR, Markus Am 06.02.2017 um 07:36 schrieb Thierry:> Hi Aki, > > I do not have any error message but (on both server): > > doveadm replicator status '*' > doveadm(root): Fatal: net_connect_unix(/var/run/dovecot/replicator-doveadm) failed: Connection refused > > Thx > > > Le vendredi 3 f?vrier 2017 ? 17:09:52, vous ?criviez : > >> Please keep responses in list. rm -f >> /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir. > >> On 2017-02-03 17:00, Thierry wrote: >>> Hi, >>> >>> I have removed the '<' : >>> >>> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem >>> >>> But now: >>> >>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >>> >>> Any idea ? >>> >>> Thx >>> >>>> Yes. The ssl_client_ca_file is not actually expecting <, just file name. >>>> Aki >>>> On 2017-02-03 15:13, Thierry wrote: >>>>> Hi, >>>>> >>>>> I have made change: >>>>> >>>>> ssl_protocols = !SSLv2 !SSLv3 >>>>> ssl = required >>>>> verbose_ssl = no >>>>> ssl_key = </etc/ssl/private/private.key >>>>> ssl_cert = </etc/ssl/certs/key.crt >>>>> ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem >>>>> >>>>> >>>>> # Create a listener for doveadm-server >>>>> service doveadm { >>>>> user = vmail >>>>> inet_listener { >>>>> port = 12345 >>>>> ssl= yes >>>>> } >>>>> } >>>>> >>>>> and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use doveadm_port >>>>> >>>>> And now: >>>>> >>>>> Feb 03 14:11:16 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long >>>>> Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >>>>> Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >>>>> >>>>> Thx for your support >>>>> >>>>> >>>>> >>>>> >>>>> Le vendredi 3 f?vrier 2017 ? 11:34:43, vous ?criviez : >>>>> >>>>>> Hello, >>>>>> On 02/03/2017 08:51 AM, Thierry wrote: >>>>>>> Hello, >>>>>>> >>>>>>> Still working with my dsync pb. >>>>>>> I have done a clone (vmware) of my email server. >>>>>>> Today I have two strictly identical emails servers (server1 >>>>>>> (main) and server2 (bck) (except IP, hostname and mail_replica). >>>>>>> >>>>>>> The ssl config on my both server: >>>>>>> >>>>>>> ssl_protocols = !SSLv2 !SSLv3 >>>>>>> ssl = required >>>>>>> verbose_ssl = no >>>>>>> ssl_key = </etc/ssl/private/private.key >>>>>>> ssl_cert = </etc/ssl/certs/key.crt >>>>>>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem >>>>>> I think it should be ssl_client_ca_file >>>>>> </etc/ssl/certs/GandiStandardSSLCA2.pem for you. >>>>>>> This config is working for my email client and my email web >>>>>>> interface ... >>>>>>> >>>>>>> Are they on the right order ? >>>>>>> >>>>>>> mail_replica = tcps:server1 at domain.ltd and tcps:server2 at domain.ltd >>>>>>> >>>>>>> There is trafic on my iptables rules on my both servers: >>>>>>> >>>>>>> 60 3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711 >>>>>>> >>>>>>> >>>>>>> >>>>>>> My error message from server1 (main server): >>>>>>> >>>>>>> Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>>> Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>>> Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>>> Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>>> >>>>>>> No logs from server2 >>>>>>> >>>>>>> Any ideas ? >>>>>>> >>>>>>> Thx for your support >>>>>>> >>>>>>> > >
Bonjour Markus,> - Have you checked that port 12345 as specified below is open/forwarded > and actually /used/ by dovecot (e.g., use "netstat -tulpn|grep dovecot")?Yes of course: tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 22025/dovecot tcp6 0 0 :::12345 :::* LISTEN 22025/dovecot> - Did you retrace your steps and have you verified that synchronisation > works with ssl disabled?This dovecot is working well with my email client and web mail interface, I would prefer not to start playing with this config file ...> - Did you verify your certificate files (e.g., "openssl verify -verbose > -CAfile /etc/ssl/certs/GandiCA2.pem /etc/ssl/certs/key.crt")?yes: openssl verify -verbose -CAfile /etc/ssl/certs/GandiCA2.pem /etc/ssl/certs/key.crt /etc/ssl/certs/key.crt: OK> Personally, I prefer to use a single, specialised tool to manage > certificates/encryption (which in my case is stunnel); all other > programs are set up using (link-)local ip addresses only. If everything > but encryption works with your setup, this might be a possible > "workaround". (Apart from that, stunnel debug mode is very detailed and > can help you to rule out problems with the certificates/connections > between two nodes.) > And once the latter works but the dovecot setup below still does not, it > would also point to a problem with certificate handling by dovecot > (could be library related).This morning logs: Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL Feb 07 05:50:13 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Feb 07 05:50:13 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL> KR, MarkusThx> Am 06.02.2017 um 07:36 schrieb Thierry: >> Hi Aki, >> >> I do not have any error message but (on both server): >> >> doveadm replicator status '*' >> doveadm(root): Fatal: net_connect_unix(/var/run/dovecot/replicator-doveadm) failed: Connection refused >> >> Thx >> >> >> Le vendredi 3 f?vrier 2017 ? 17:09:52, vous ?criviez : >> >>> Please keep responses in list. rm -f >>> /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir. >> >>> On 2017-02-03 17:00, Thierry wrote: >>>> Hi, >>>> >>>> I have removed the '<' : >>>> >>>> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem >>>> >>>> But now: >>>> >>>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >>>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >>>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >>>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >>>> >>>> Any idea ? >>>> >>>> Thx >>>> >>>>> Yes. The ssl_client_ca_file is not actually expecting <, just file name. >>>>> Aki >>>>> On 2017-02-03 15:13, Thierry wrote: >>>>>> Hi, >>>>>> >>>>>> I have made change: >>>>>> >>>>>> ssl_protocols = !SSLv2 !SSLv3 >>>>>> ssl = required >>>>>> verbose_ssl = no >>>>>> ssl_key = </etc/ssl/private/private.key >>>>>> ssl_cert = </etc/ssl/certs/key.crt >>>>>> ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem >>>>>> >>>>>> >>>>>> # Create a listener for doveadm-server >>>>>> service doveadm { >>>>>> user = vmail >>>>>> inet_listener { >>>>>> port = 12345 >>>>>> ssl= yes >>>>>> } >>>>>> } >>>>>> >>>>>> and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use doveadm_port >>>>>> >>>>>> And now: >>>>>> >>>>>> Feb 03 14:11:16 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long >>>>>> Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >>>>>> Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >>>>>> >>>>>> Thx for your support >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Le vendredi 3 f?vrier 2017 ? 11:34:43, vous ?criviez : >>>>>> >>>>>>> Hello, >>>>>>> On 02/03/2017 08:51 AM, Thierry wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> Still working with my dsync pb. >>>>>>>> I have done a clone (vmware) of my email server. >>>>>>>> Today I have two strictly identical emails servers (server1 >>>>>>>> (main) and server2 (bck) (except IP, hostname and mail_replica). >>>>>>>> >>>>>>>> The ssl config on my both server: >>>>>>>> >>>>>>>> ssl_protocols = !SSLv2 !SSLv3 >>>>>>>> ssl = required >>>>>>>> verbose_ssl = no >>>>>>>> ssl_key = </etc/ssl/private/private.key >>>>>>>> ssl_cert = </etc/ssl/certs/key.crt >>>>>>>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem >>>>>>> I think it should be ssl_client_ca_file >>>>>>> </etc/ssl/certs/GandiStandardSSLCA2.pem for you. >>>>>>>> This config is working for my email client and my email web >>>>>>>> interface ... >>>>>>>> >>>>>>>> Are they on the right order ? >>>>>>>> >>>>>>>> mail_replica = tcps:server1 at domain.ltd and tcps:server2 at domain.ltd >>>>>>>> >>>>>>>> There is trafic on my iptables rules on my both servers: >>>>>>>> >>>>>>>> 60 3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> My error message from server1 (main server): >>>>>>>> >>>>>>>> Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>>>> Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>>>> Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>>>> Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>>>> >>>>>>>> No logs from server2 >>>>>>>> >>>>>>>> Any ideas ? >>>>>>>> >>>>>>>> Thx for your support >>>>>>>> >>>>>>>> >> >>-- Cordialement, Thierry e-mail : lenaigst at maelenn.org