Ralf Hildebrandt
2017-Mar-20 12:30 UTC
Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
Hi! I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to 2:2.2.28-1~auto+8) I now I'm getting an error: Mar 20 13:25:58 mproxy dovecot: auth: Error: imapc(email.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) I checked, and alas, I had ssl_client_ca_dir = ssl_client_ca_file So I set: ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt But I'm still getting the error above. I addition, dovecot is crashing with SIGSEGV: Mar 20 13:28:23 mproxy dovecot: auth: Error: imapc(email.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Mar 20 13:28:23 mproxy dovecot: auth: Error: imapc(email.charite.de:993): No SSL context Mar 20 13:28:23 mproxy dovecot: auth: Error: imap(la***sch,87.77.180.61): Disconnected from server Mar 20 13:28:23 mproxy postfix/submission/smtpd[32682]: warning: zb43d.pia.fu-berlin.de[87.77.180.61]: SASL PLAIN authentication failed: Connection lost to authentication server Mar 20 13:28:23 mproxy dovecot: auth: Fatal: master: service(auth): child 32685 killed with signal 11 (core dumped) -- Ralf Hildebrandt Gesch?ftsbereich IT | Abteilung Netzwerk Charit? - Universit?tsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt at charite.de | http://www.charite.de
Ralf Hildebrandt
2017-Mar-20 13:02 UTC
Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
* Ralf Hildebrandt <Ralf.Hildebrandt at charite.de>:> Hi! > > I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to 2:2.2.28-1~auto+8) I now I'm getting an error:I was able to determine the last working version: 2:2.2.28-1~auto+6 and the first "broken" version: 2:2.2.28-1~auto+7 -- Ralf Hildebrandt Gesch?ftsbereich IT | Abteilung Netzwerk Charit? - Universit?tsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt at charite.de | http://www.charite.de
Ralf Hildebrandt
2017-Mar-20 13:05 UTC
Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
* Ralf Hildebrandt <Ralf.Hildebrandt at charite.de>:> * Ralf Hildebrandt <Ralf.Hildebrandt at charite.de>: > > Hi! > > > > I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to 2:2.2.28-1~auto+8) I now I'm getting an error: > > I was able to determine the last working version: 2:2.2.28-1~auto+6 > and the first "broken" version: 2:2.2.28-1~auto+72:2.2.28-1~auto+7 CHANGES file (http://xi.dovecot.fi/debian/pool/jessie-auto/dovecot-2.2/dovecot_2.2.28-1~auto+7_amd64.changes) says: New revision (a39b5b2852f2) in dovecot Git repository ... - lib-ssl-iostream: Ensure verify_remote_cert is true - lib-ssl-iostream: Fix ambiguity with SSL settings ... I think one of these two could be the culprit -- Ralf Hildebrandt Gesch?ftsbereich IT | Abteilung Netzwerk Charit? - Universit?tsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt at charite.de | http://www.charite.de
Aki Tuomi
2017-Mar-20 14:32 UTC
Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
On 20.03.2017 14:30, Ralf Hildebrandt wrote:> ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crtLeave the < out. It is misleading, I know, but it does say file. =) Aki
Ralf Hildebrandt
2017-Mar-20 14:40 UTC
Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
* Aki Tuomi <aki.tuomi at dovecot.fi>:> > > On 20.03.2017 14:30, Ralf Hildebrandt wrote: > > ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt > > Leave the < out. It is misleading, I know, but it does say file. =)Makes no difference: # doveconf |fgrep ssl_client_ca ssl_client_ca_dir = ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt and with auto8 I still get: Mar 20 15:38:20 mproxy dovecot: auth: Error: imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Mar 20 15:38:20 mproxy dovecot: auth: Error: imapc(exchange-imap.charite.de:993): No SSL context Mar 20 15:38:20 mproxy dovecot: auth: Error: imap(hildeb,141.42.206.36,<YWuNeipLKLGNKs4k>): Disconnected from server Mar 20 15:38:20 mproxy dovecot: imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=52992, EOF) Mar 20 15:38:20 mproxy dovecot: auth: Fatal: master: service(auth): child 52990 killed with signal 11 (core dumped) going back to auto6 and everything is peachy again. -- Ralf Hildebrandt Gesch?ftsbereich IT | Abteilung Netzwerk Charit? - Universit?tsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt at charite.de | http://www.charite.de
Maybe Matching Threads
- Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
- Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
- Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
- Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
- Bug with 2.2.29-1~auto+25 back to haunt me