Cyrus and SSL

redhatdude at bellsouth.net redhatdude at bellsouth.net
Sat Dec 9 08:13:55 UTC 2006 

On Dec 8, 2006, at 8:04 PM, Craig White wrote:

> On Fri, 2006-12-08 at 12:56 -0500, redhatdude at bellsouth.net wrote:
>> On Dec 8, 2006, at 12:42 PM, Craig White wrote:
>>
>>> On Fri, 2006-12-08 at 05:28 -0500, redhatdude at bellsouth.net wrote:
>>>> This is the error I get when I try to connect to cyrus-imapd using
>>>> ssl.
>>>>
>>>> Dec  8 05:22:43 master[15783]: about to exec /usr/lib/cyrus-imapd/
>>>> imapd
>>>> Dec  8 05:22:43 imaps[15768]: accepted connection
>>>> Dec  8 05:22:43 imaps[15783]: executed
>>>> Dec  8 05:22:43 imaps[15768]: unable to get certificate from '/etc/
>>>> pki/cyrus-imapd/cyrus-imapd.pem'
>>>> Dec  8 05:22:43 imaps[15768]: TLS server engine: cannot load  
>>>> cert/key
>>>> data
>>>> Dec  8 05:22:43 imaps[15768]: error initializing TLS
>>>> Dec  8 05:22:43 imaps[15768]: Fatal error: tls_init() failed
>>>> Dec  8 05:22:43 imaps[15768]: DBERROR db4: Database handles  
>>>> remain at
>>>> environment close
>>>> Dec  8 05:22:43 imaps[15768]: DBERROR db4: Open database handle: /
>>>> var/
>>>> lib/imap/tls_sessions.db
>>>> Dec  8 05:22:43 imaps[15768]: DBERROR: error exiting application:
>>>> Invalid argument
>>>> Dec  8 05:22:43 master[15756]: process 15768 exited, status 75
>>>> Dec  8 05:22:43 master[15756]: service imaps pid 15768 in BUSY  
>>>> state:
>>>> terminated abnormally
>>>>
>>>> If I don't use SSL it works fine. I even tried creating my own  
>>>> certs
>>>> and it's just the same.
>>>> Please help.
>>>> EJ
>>> ----
>>> TLS server engine: cannot load cert/key data is certainly a problem
>>> but evidently there is also something very wrong with /var/lib/imap/
>>> tls_sessions.db
>>>
>>> you might want to delete that file and restart cyrus-imapd so it
>>> gets recreated. I would presume that it like all other things cyrus-
>>> imapd should be cyrus:mail ownership and in checking on my system,
>>> that file is 600.
>>>
>>> you might want to check dmesg/syslog/audit.log to see if selinux is
>>> involved in /var/lib/imap/tls_sessions.db issue too.
>>>
>>> Craig
>>>>
>>
>> SeLinux is turned off. I deleted /var/lib/imap/tls_sessions.db and
>> cyrus created a new one. I created the certs for cyrus, changed
>> ownership to cyrus:mail and did chmod 600. I'm still having the same
>> problem.
> ----
> hmmm...I don't think you can use cyrus without functioning berkeley  
> db -
> I have annotations.db deliver.db and mailboxes.db in addition to
> tls_sessions.db so if you are similar (i.e. not using skiplist for  
> those
> functions), then the problem would have to be ssl/tls related and  
> not db
> related.
>
> Are you using fedora binary packages?
> Did you rebuild cyrus-imapd from source/source-rpm?
> Did you rebuild openssl from source/source-rpm?
> Are you still getting the message 'cannot load cert/key data?
>
> Craig


Sorry if I got impatient Craig, my emails take a long time sometimes  
to show up on the list and I sent one after the other.

I installed cyrus-imapd using yum, I did nothing to it. Same thing  
with openssl, I have what got installed with FC6.
I'm still getting the same messages.
Cyrus-imapd works fine as long as I don't try to connect to it on  
port 993 ( ssl ). So I don't think berkeleydb is the problem if cyrus- 
imapd works fine authenticating my virtual users without using SSL.
Cyrus seems to just not wanting to take the certs.
Thanks, I appreciate your help.
EJ

More information about the fedora-list mailing list