Hi,
I have made change:
ssl_protocols = !SSLv2 !SSLv3
ssl = required
verbose_ssl = no
ssl_key = </etc/ssl/private/private.key
ssl_cert = </etc/ssl/certs/key.crt
ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem
# Create a listener for doveadm-server
service doveadm {
user = vmail
inet_listener {
port = 12345
ssl= yes
}
}
and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use
doveadm_port
And now:
Feb 03 14:11:16 doveadm(user1 at domain.ltd): Error: sync: Couldn't
initialize SSL context: Can't load CA certs from directory :
error:02001024:system library:fopen:File name too long
Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir:
ssl-parameters.dat - disabling SSL 360
Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters,
disabling SSL
Thx for your support
Le vendredi 3 f?vrier 2017 ? 11:34:43, vous ?criviez :
> Hello,
> On 02/03/2017 08:51 AM, Thierry wrote:
>> Hello,
>>
>> Still working with my dsync pb.
>> I have done a clone (vmware) of my email server.
>> Today I have two strictly identical emails servers (server1
>> (main) and server2 (bck) (except IP, hostname and mail_replica).
>>
>> The ssl config on my both server:
>>
>> ssl_protocols = !SSLv2 !SSLv3
>> ssl = required
>> verbose_ssl = no
>> ssl_key = </etc/ssl/private/private.key
>> ssl_cert = </etc/ssl/certs/key.crt
>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem
> I think it should be ssl_client_ca_file =
> </etc/ssl/certs/GandiStandardSSLCA2.pem for you.
>>
>> This config is working for my email client and my email web
>> interface ...
>>
>> Are they on the right order ?
>>
>> mail_replica = tcps:server1 at domain.ltd and tcps:server2 at
domain.ltd
>>
>> There is trafic on my iptables rules on my both servers:
>>
>> 60 3600 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4711
>>
>>
>>
>> My error message from server1 (main server):
>>
>> Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't
initialize SSL context: Can't verify remote server certs without trusted CAs
(ssl_client_ca_* settings)
>> Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't
initialize SSL context: Can't verify remote server certs without trusted CAs
(ssl_client_ca_* settings)
>> Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't
initialize SSL context: Can't verify remote server certs without trusted CAs
(ssl_client_ca_* settings)
>> Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't
initialize SSL context: Can't verify remote server certs without trusted CAs
(ssl_client_ca_* settings)
>>
>> No logs from server2
>>
>> Any ideas ?
>>
>> Thx for your support
>>
>>
--
Cordialement,
Thierry e-mail : lenaigst at maelenn.org
Yes. The ssl_client_ca_file is not actually expecting <, just file name. Aki On 2017-02-03 15:13, Thierry wrote:> Hi, > > I have made change: > > ssl_protocols = !SSLv2 !SSLv3 > ssl = required > verbose_ssl = no > ssl_key = </etc/ssl/private/private.key > ssl_cert = </etc/ssl/certs/key.crt > ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem > > > # Create a listener for doveadm-server > service doveadm { > user = vmail > inet_listener { > port = 12345 > ssl= yes > } > } > > and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use doveadm_port > > And now: > > Feb 03 14:11:16 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long > Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 > Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL > > Thx for your support > > > > > Le vendredi 3 f?vrier 2017 ? 11:34:43, vous ?criviez : > >> Hello, > >> On 02/03/2017 08:51 AM, Thierry wrote: >>> Hello, >>> >>> Still working with my dsync pb. >>> I have done a clone (vmware) of my email server. >>> Today I have two strictly identical emails servers (server1 >>> (main) and server2 (bck) (except IP, hostname and mail_replica). >>> >>> The ssl config on my both server: >>> >>> ssl_protocols = !SSLv2 !SSLv3 >>> ssl = required >>> verbose_ssl = no >>> ssl_key = </etc/ssl/private/private.key >>> ssl_cert = </etc/ssl/certs/key.crt >>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem >> I think it should be ssl_client_ca_file >> </etc/ssl/certs/GandiStandardSSLCA2.pem for you. > >>> This config is working for my email client and my email web >>> interface ... >>> >>> Are they on the right order ? >>> >>> mail_replica = tcps:server1 at domain.ltd and tcps:server2 at domain.ltd >>> >>> There is trafic on my iptables rules on my both servers: >>> >>> 60 3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711 >>> >>> >>> >>> My error message from server1 (main server): >>> >>> Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>> Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>> Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>> Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>> >>> No logs from server2 >>> >>> Any ideas ? >>> >>> Thx for your support >>> >>> > >
Please keep responses in list. rm -f /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir. On 2017-02-03 17:00, Thierry wrote:> Hi, > > I have removed the '<' : > > ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem > > But now: > > doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 > doveadm: Error: Couldn't initialize SSL parameters, disabling SSL > doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 > doveadm: Error: Couldn't initialize SSL parameters, disabling SSL > > Any idea ? > > Thx > >> Yes. The ssl_client_ca_file is not actually expecting <, just file name. >> Aki > >> On 2017-02-03 15:13, Thierry wrote: >>> Hi, >>> >>> I have made change: >>> >>> ssl_protocols = !SSLv2 !SSLv3 >>> ssl = required >>> verbose_ssl = no >>> ssl_key = </etc/ssl/private/private.key >>> ssl_cert = </etc/ssl/certs/key.crt >>> ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem >>> >>> >>> # Create a listener for doveadm-server >>> service doveadm { >>> user = vmail >>> inet_listener { >>> port = 12345 >>> ssl= yes >>> } >>> } >>> >>> and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use doveadm_port >>> >>> And now: >>> >>> Feb 03 14:11:16 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long >>> Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >>> Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >>> >>> Thx for your support >>> >>> >>> >>> >>> Le vendredi 3 f?vrier 2017 ? 11:34:43, vous ?criviez : >>> >>>> Hello, >>>> On 02/03/2017 08:51 AM, Thierry wrote: >>>>> Hello, >>>>> >>>>> Still working with my dsync pb. >>>>> I have done a clone (vmware) of my email server. >>>>> Today I have two strictly identical emails servers (server1 >>>>> (main) and server2 (bck) (except IP, hostname and mail_replica). >>>>> >>>>> The ssl config on my both server: >>>>> >>>>> ssl_protocols = !SSLv2 !SSLv3 >>>>> ssl = required >>>>> verbose_ssl = no >>>>> ssl_key = </etc/ssl/private/private.key >>>>> ssl_cert = </etc/ssl/certs/key.crt >>>>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem >>>> I think it should be ssl_client_ca_file >>>> </etc/ssl/certs/GandiStandardSSLCA2.pem for you. >>>>> This config is working for my email client and my email web >>>>> interface ... >>>>> >>>>> Are they on the right order ? >>>>> >>>>> mail_replica = tcps:server1 at domain.ltd and tcps:server2 at domain.ltd >>>>> >>>>> There is trafic on my iptables rules on my both servers: >>>>> >>>>> 60 3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711 >>>>> >>>>> >>>>> >>>>> My error message from server1 (main server): >>>>> >>>>> Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>> Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>> Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>> Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>> >>>>> No logs from server2 >>>>> >>>>> Any ideas ? >>>>> >>>>> Thx for your support >>>>> >>>>> >>>
Hi,
I have removed it on both server and on both server I do have:
ssl-params: Info: Generating SSL parameters
ssl-params: Info: SSL parameters regeneration completed
But still:
Feb 03 16:36:28 doveadm: Error: Corrupted SSL parameters file in state_dir:
ssl-parameters.dat - disabling SSL 360
Feb 03 16:36:28 doveadm: Error: Couldn't initialize SSL parameters,
disabling SSL
Thx
Le vendredi 3 f?vrier 2017 ? 17:09:52, vous ?criviez :
> Please keep responses in list. rm -f
> /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.
> On 2017-02-03 17:00, Thierry wrote:
>> Hi,
>>
>> I have removed the '<' :
>>
>> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem
>>
>> But now:
>>
>> doveadm: Error: Corrupted SSL parameters file in state_dir:
ssl-parameters.dat - disabling SSL 360
>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>> doveadm: Error: Corrupted SSL parameters file in state_dir:
ssl-parameters.dat - disabling SSL 360
>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL
>>
>> Any idea ?
>>
>> Thx
>>
>>> Yes. The ssl_client_ca_file is not actually expecting <, just
file name.
>>> Aki
>>
>>> On 2017-02-03 15:13, Thierry wrote:
>>>> Hi,
>>>>
>>>> I have made change:
>>>>
>>>> ssl_protocols = !SSLv2 !SSLv3
>>>> ssl = required
>>>> verbose_ssl = no
>>>> ssl_key = </etc/ssl/private/private.key
>>>> ssl_cert = </etc/ssl/certs/key.crt
>>>> ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem
>>>>
>>>>
>>>> # Create a listener for doveadm-server
>>>> service doveadm {
>>>> user = vmail
>>>> inet_listener {
>>>> port = 12345
>>>> ssl= yes
>>>> }
>>>> }
>>>>
>>>> and doveadm_port = 12345 // mail_replica =
tcps:server2.domain.ltd # use doveadm_port
>>>>
>>>> And now:
>>>>
>>>> Feb 03 14:11:16 doveadm(user1 at domain.ltd): Error: sync:
Couldn't initialize SSL context: Can't load CA certs from directory :
error:02001024:system library:fopen:File name too long
>>>> Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file
in state_dir: ssl-parameters.dat - disabling SSL 360
>>>> Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL
parameters, disabling SSL
>>>>
>>>> Thx for your support
>>>>
>>>>
>>>>
>>>>
>>>> Le vendredi 3 f?vrier 2017 ? 11:34:43, vous ?criviez :
>>>>
>>>>> Hello,
>>>>> On 02/03/2017 08:51 AM, Thierry wrote:
>>>>>> Hello,
>>>>>>
>>>>>> Still working with my dsync pb.
>>>>>> I have done a clone (vmware) of my email server.
>>>>>> Today I have two strictly identical emails
servers (server1
>>>>>> (main) and server2 (bck) (except IP, hostname and
mail_replica).
>>>>>>
>>>>>> The ssl config on my both server:
>>>>>>
>>>>>> ssl_protocols = !SSLv2 !SSLv3
>>>>>> ssl = required
>>>>>> verbose_ssl = no
>>>>>> ssl_key = </etc/ssl/private/private.key
>>>>>> ssl_cert = </etc/ssl/certs/key.crt
>>>>>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem
>>>>> I think it should be ssl_client_ca_file
>>>>> </etc/ssl/certs/GandiStandardSSLCA2.pem for you.
>>>>>> This config is working for my email client
and my email web
>>>>>> interface ...
>>>>>>
>>>>>> Are they on the right order ?
>>>>>>
>>>>>> mail_replica = tcps:server1 at domain.ltd and
tcps:server2 at domain.ltd
>>>>>>
>>>>>> There is trafic on my iptables rules on my both
servers:
>>>>>>
>>>>>> 60 3600 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4711
>>>>>>
>>>>>>
>>>>>>
>>>>>> My error message from server1 (main server):
>>>>>>
>>>>>> Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error:
sync: Couldn't initialize SSL context: Can't verify remote server certs
without trusted CAs (ssl_client_ca_* settings)
>>>>>> Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error:
sync: Couldn't initialize SSL context: Can't verify remote server certs
without trusted CAs (ssl_client_ca_* settings)
>>>>>> Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error:
sync: Couldn't initialize SSL context: Can't verify remote server certs
without trusted CAs (ssl_client_ca_* settings)
>>>>>> Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error:
sync: Couldn't initialize SSL context: Can't verify remote server certs
without trusted CAs (ssl_client_ca_* settings)
>>>>>>
>>>>>> No logs from server2
>>>>>>
>>>>>> Any ideas ?
>>>>>>
>>>>>> Thx for your support
>>>>>>
>>>>>>
>>>>
--
Cordialement,
Thierry e-mail : lenaigst at maelenn.org
Hi Aki, I do not have any error message but (on both server): doveadm replicator status '*' doveadm(root): Fatal: net_connect_unix(/var/run/dovecot/replicator-doveadm) failed: Connection refused Thx Le vendredi 3 f?vrier 2017 ? 17:09:52, vous ?criviez :> Please keep responses in list. rm -f > /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir.> On 2017-02-03 17:00, Thierry wrote: >> Hi, >> >> I have removed the '<' : >> >> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem >> >> But now: >> >> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >> >> Any idea ? >> >> Thx >> >>> Yes. The ssl_client_ca_file is not actually expecting <, just file name. >>> Aki >> >>> On 2017-02-03 15:13, Thierry wrote: >>>> Hi, >>>> >>>> I have made change: >>>> >>>> ssl_protocols = !SSLv2 !SSLv3 >>>> ssl = required >>>> verbose_ssl = no >>>> ssl_key = </etc/ssl/private/private.key >>>> ssl_cert = </etc/ssl/certs/key.crt >>>> ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem >>>> >>>> >>>> # Create a listener for doveadm-server >>>> service doveadm { >>>> user = vmail >>>> inet_listener { >>>> port = 12345 >>>> ssl= yes >>>> } >>>> } >>>> >>>> and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use doveadm_port >>>> >>>> And now: >>>> >>>> Feb 03 14:11:16 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long >>>> Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >>>> Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >>>> >>>> Thx for your support >>>> >>>> >>>> >>>> >>>> Le vendredi 3 f?vrier 2017 ? 11:34:43, vous ?criviez : >>>> >>>>> Hello, >>>>> On 02/03/2017 08:51 AM, Thierry wrote: >>>>>> Hello, >>>>>> >>>>>> Still working with my dsync pb. >>>>>> I have done a clone (vmware) of my email server. >>>>>> Today I have two strictly identical emails servers (server1 >>>>>> (main) and server2 (bck) (except IP, hostname and mail_replica). >>>>>> >>>>>> The ssl config on my both server: >>>>>> >>>>>> ssl_protocols = !SSLv2 !SSLv3 >>>>>> ssl = required >>>>>> verbose_ssl = no >>>>>> ssl_key = </etc/ssl/private/private.key >>>>>> ssl_cert = </etc/ssl/certs/key.crt >>>>>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem >>>>> I think it should be ssl_client_ca_file >>>>> </etc/ssl/certs/GandiStandardSSLCA2.pem for you. >>>>>> This config is working for my email client and my email web >>>>>> interface ... >>>>>> >>>>>> Are they on the right order ? >>>>>> >>>>>> mail_replica = tcps:server1 at domain.ltd and tcps:server2 at domain.ltd >>>>>> >>>>>> There is trafic on my iptables rules on my both servers: >>>>>> >>>>>> 60 3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711 >>>>>> >>>>>> >>>>>> >>>>>> My error message from server1 (main server): >>>>>> >>>>>> Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>> Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>> Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>> Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >>>>>> >>>>>> No logs from server2 >>>>>> >>>>>> Any ideas ? >>>>>> >>>>>> Thx for your support >>>>>> >>>>>> >>>>-- Cordialement, Thierry e-mail : lenaigst at maelenn.org