Hi guys, Not sure where to start looking for this. I've got a few users getting intermittent "certificate cannot be verified" messages when connecting through SSL to Dovecot. Connections go through haproxy to Dovecot 1.1.8 on the back end servers. I've got verbose_ssl and auth_debug enabled. All I'm seeing on the logs for the time the users reported the error is this: Jan 21 23:30:51 mink dovecot: auth(default): new auth connection: pid=28811 Jan 21 23:30:51 mink dovecot: IMAP(user1 at domain1.net): Disconnected in IDLE bytes=73/4235 Jan 21 23:24:23 mink dovecot: auth(default): new auth connection: pid=28811 Jan 21 23:24:23 mink dovecot: imap-login: Disconnected (no auth attempts): rip=x.x.x.x, lip=x.x.x.x Jan 21 23:24:23 mink dovecot: auth(default): new auth connection: pid=28811 Jan 21 23:24:24 mink dovecot: IMAP(user2 at domain1.net): Disconnected in IDLE bytes=89/920 Since it's so intermittent I'm not sure where to start. Since there are no real errors in the Dovecot logs I'm suspecting that haproxy is perhaps not routing every packet correctly leading to Dovecot not getting all the data needed for the connection. Are there any other possibilities I've missed? Thanks Guy root at mink:/var/log/mail# dovecot -n # 1.1.8: /etc/dovecot/dovecot.conf # OS: Linux 2.6.24-23-server x86_64 Ubuntu 8.04.1 protocols: imap imaps pop3 pop3s listen(default): *:143 listen(imap): *:143 listen(pop3): *:110 ssl_listen(default): *:993 ssl_listen(imap): *:993 ssl_listen(pop3): *:995 ssl_cert_file: /etc/ssl/certs/imapd.pem ssl_key_file: /etc/ssl/private/imapd.pem disable_plaintext_auth: no verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_process_per_connection: no login_processes_count: 5 login_max_processes_count: 256 max_mail_processes: 1024 verbose_proctitle: yes mail_location: maildir:%h/Maildir/ mail_full_filesystem_access: yes mmap_disable: yes dotlock_use_excl: no mail_nfs_storage: yes mail_nfs_index: yes lock_method: dotlock mail_executable(default): /usr/libexec/dovecot/rawlog /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/rawlog /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/rawlog /usr/libexec/dovecot/pop3 mail_process_size: 128 mail_plugins(default): imap_quota quota mail_plugins(imap): imap_quota quota mail_plugins(pop3): quota mail_log_max_lines_per_sec: 30 imap_client_workarounds: outlook-idle delay-newmail pop3_uidl_format: %08Xv%08Xu pop3_client_workarounds: outlook-no-nuls oe-ns-eoh namespace: type: private separator: / inbox: yes list: yes subscriptions: yes namespace: type: private separator: / prefix: mail/ location: maildir:%h/Maildir/ hidden: yes subscriptions: yes auth default: cache_size: 2048 cache_ttl: 300 cache_negative_ttl: 1 username_chars: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@' master_user_separator: * debug: yes worker_max_count: 5 passdb: driver: passwd-file args: /etc/dovecot/dovecot-master.pwd master: yes passdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf userdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf plugin: quota: maildir quota_rule: *:storage=100M quota_rule2: Trash:ignore -- Don't just do something...sit there!
Uldis Pakuls
2009-Jan-22 16:30 UTC
[Dovecot] Intermittent "certificate cannot be verified" error
Guy wrote:> Hi guys, > > Not sure where to start looking for this. I've got a few users getting > intermittent "certificate cannot be verified" messages when connecting > through SSL to Dovecot. Connections go through haproxy to Dovecot > 1.1.8 on the back end servers. > I've got verbose_ssl and auth_debug enabled. >It is SSL error. This error message indicates that the client was unable to validate the certificate chain, or that the public key that was used to validate the certificate signature is not the correct key.