Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
* Aki Tuomi: > > Still there in auto11 > > > Yes, we have not gotten round fixing it. Did you remove < from the path? Of course :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
On 23.03.2017 11:59, Ralf Hildebrandt wrote: > * Ralf Hildebrandt: > >> Mar 20 16:10:17 mproxy dovecot: master: Dovecot v2.2.devel (a39b5b2) >> starting up for imap >> Mar 20 16:10:26 mproxy dovecot: auth: Error: >> imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context: Can't >> verify remote server certs without trusted CAs (ssl_client_ca_* settings) >> Mar 20 16:10:26 mproxy dovecot: auth: Error: >> imapc(exchange-imap.charite.de:993): No SSL context >> Mar 20 16:10:26 mproxy dovecot: auth: Error: >> imap(hildeb,141.42.206.36,): Disconnected from server >> Mar 20 16:10:26 mproxy dovecot: imap-login: Warning: Auth connection closed >> with 1 pending requests (max 0 secs, pid=1747, EOF) >> Mar 20 16:10:26 mproxy dovecot: auth: Fatal: master: service(auth): child >> 1748 killed with signal 11 (core dumped) > Still there in auto11 > Yes, we have not gotten round fixing it. Did you remove < from the path? Aki
Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
* Ralf Hildebrandt: > Mar 20 16:10:17 mproxy dovecot: master: Dovecot v2.2.devel (a39b5b2) starting > up for imap > Mar 20 16:10:26 mproxy dovecot: auth: Error: > imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context: Can't > verify remote server certs without trusted CAs (ssl_client_ca_* settings) > Mar 20 16:10:26 mproxy dovecot: auth: Error: > imapc(exchange-imap.charite.de:993): No SSL context > Mar 20 16:10:26 mproxy dovecot: auth: Error: > imap(hildeb,141.42.206.36,): Disconnected from server > Mar 20 16:10:26 mproxy dovecot: imap-login: Warning: Auth connection closed > with 1 pending requests (max 0 secs, pid=1747, EOF) > Mar 20 16:10:26 mproxy dovecot: auth: Fatal: master: service(auth): child > 1748 killed with signal 11 (core dumped) Still there in auto11 -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
* Ralf Hildebrandt: > * Aki Tuomi : > > > Could you send us the gdb bt full backtrace for the core file? > > Currently I can't get it to create coredumps Got a coredump and backtrace: = Mar 20 16:10:17 mproxy dovecot: master: Dovecot v2.2.devel (a39b5b2) starting up for imap Mar 20 16:10:26 mproxy dovecot: auth: Error: imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Mar 20 16:10:26 mproxy dovecot: auth: Error: imapc(exchange-imap.charite.de:993): No SSL context Mar 20 16:10:26 mproxy dovecot: auth: Error: imap(hildeb,141.42.206.36,): Disconnected from server Mar 20 16:10:26 mproxy dovecot: imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=1747, EOF) Mar 20 16:10:26 mproxy dovecot: auth: Fatal: master: service(auth): child 1748 killed with signal 11 (core dumped) and the backtrace: # gdb -q /usr/lib/dovecot/auth 1748 Reading symbols from /usr/lib/dovecot/auth...Reading symbols from /usr/lib/debug/.build-id/7a/66f9b5902485fd23f1f3dbab6479c1214f4ef1.debug...done. done. Attaching to program: /usr/lib/dovecot/auth, process 1748 ptrace: No such process. [New LWP 1748] Core was generated by dovecot/auth'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x7f61e2af2226 in array_append_i (count=, data=, array=) at ../../src/lib/array.h:168 168../../src/lib/array.h: No such file or directory. (gdb) bt full #0 0x7f61e2af2226 in array_append_i (count=, data=, array=) at ../../src/lib/array.h:168 No locals. #1 imapc_connection_abort_commands_array (cmd_array=cmd_array@entry=0x557d24fbcea0, dest_array=dest_array@entry=0x7ffef84bf690, only_box=only_box@entry=0x0, keep_retriable=keep_retriable@entry=false) at imapc-connection.c:289 cmd = 0x41 i = 0 #2 0x7f61e2af251a in imapc_connection_abort_commands (conn=0x557d24fbcdc0, only_box=0x0, keep_retriable=) at imapc-connection.c:303 cmdp = cmd = tmp_array = {arr = {buffer = 0x557d24f82960, element_size = 8}, v = 0x557d24f82960, v_modifiable = 0x557d24f82960} reply = {state = IMAPC_COMMAND_STATE_DISCONNECTED, resp_text_key = 0x0, resp_text_value = 0x0, text_full = 0x7f61e2af6316 "Disconnected from server", text_without_resp = 0x7f61e2af6316 "Disconnected from server"} #3 0x7f61e39e6a92 in io_loop_call_io (io=0x557d24f9bcd0) at ioloop.c:599 ioloop = 0x557d24f8a810 t_id = 2 __FUNCTION__ = "io_loop_call_io" #4 0x7f61e39e80ea in io_loop_handler_run_internal (ioloop=ioloop@entry=0x557d24f8a810) at ioloop-epoll.c:223 ctx = 0x557d24f92310 io = tv = {tv_sec = 29, tv_usec = 999177} events_count = msecs = ret = 1 i = 0 j = call = __FUNCTION__ = "io_loop_handler_run_internal" #5 0x7f61e39e6b2c in io_loop_handler_run (ioloop=ioloop@entry=0x557d24f8a810) at ioloop.c:648 No locals. #6 0x7f61e39e6cd8 in io_loop_run (ioloop=0x557d24f8a810) at ioloop.c:623 __FUNCTION__ = "io_loop_run" #7 0x7f61e396e7d3 in master_service_run (service=0x557d24f8a6b0, callback=) at master-service.c:641 No locals. #8 0x557d2303f31e in main (argc=1, argv=0x557d24f8a390) at main.c:400 c = (gdb) -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
* Aki Tuomi: > Could you send us the gdb bt full backtrace for the core file? Currently I can't get it to create coredumps doveconf -n: # 2.2.devel (3f97702): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.devel (023f391) # OS: Linux 4.4.0-65-generic x86_64 Ubuntu 16.04.2 LTS auth_mechanisms = plain login default_vsz_limit = 1 G imapc_host = exchange-imap.charite.de imapc_port = 993 imapc_ssl = imaps imapc_ssl_verify = no listen = *,:: mail_gid = imapproxy mail_home = /home/imapproxy/%u mail_location = imapc:~/imapc mail_plugins = mail_log notify mail_uid = imapproxy passdb { args = host=exchange-imap.charite.de port=993 ssl=imaps default_fields = userdb_imapc_user=%u userdb_imapc_password=%w userdb_imapc_host=exchange-imap.charite.de userdb_imapc_ssl=imaps userdb_imapc_port=993 driver = imap } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = imap service auth { inet_listener { address = 127.0.0.1 port = 12345 } } ssl = required ssl_ca = http://www.charite.de
Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
On 20.03.2017 16:40, Ralf Hildebrandt wrote: > * Aki Tuomi: >> >> On 20.03.2017 14:30, Ralf Hildebrandt wrote: >>> ssl_client_ca_file = > Leave the < out. It is misleading, I know, but it does say file. =) > Makes no difference: > > # doveconf |fgrep ssl_client_ca > ssl_client_ca_dir = > ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt > > and with auto8 I still get: > > Mar 20 15:38:20 mproxy dovecot: auth: Error: > imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context: Can't > verify remote server certs without trusted CAs (ssl_client_ca_* settings) > Mar 20 15:38:20 mproxy dovecot: auth: Error: > imapc(exchange-imap.charite.de:993): No SSL context > Mar 20 15:38:20 mproxy dovecot: auth: Error: > imap(hildeb,141.42.206.36,): Disconnected from server > Mar 20 15:38:20 mproxy dovecot: imap-login: Warning: Auth connection closed > with 1 pending requests (max 0 secs, pid=52992, EOF) > Mar 20 15:38:20 mproxy dovecot: auth: Fatal: master: service(auth): child > 52990 killed with signal 11 (core dumped) > > going back to auto6 and everything is peachy again. > Hi! Could you send us the gdb bt full backtrace for the core file? Also, can you send doveconf -n? Aki
Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
* Aki Tuomi: > > > On 20.03.2017 14:30, Ralf Hildebrandt wrote: > > ssl_client_ca_file = > Leave the < out. It is misleading, I know, but it does say file. =) Makes no difference: # doveconf |fgrep ssl_client_ca ssl_client_ca_dir = ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt and with auto8 I still get: Mar 20 15:38:20 mproxy dovecot: auth: Error: imapc(exchange-imap.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Mar 20 15:38:20 mproxy dovecot: auth: Error: imapc(exchange-imap.charite.de:993): No SSL context Mar 20 15:38:20 mproxy dovecot: auth: Error: imap(hildeb,141.42.206.36,): Disconnected from server Mar 20 15:38:20 mproxy dovecot: imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=52992, EOF) Mar 20 15:38:20 mproxy dovecot: auth: Fatal: master: service(auth): child 52990 killed with signal 11 (core dumped) going back to auto6 and everything is peachy again. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
On 20.03.2017 14:30, Ralf Hildebrandt wrote: > ssl_client_ca_file =
Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
* Ralf Hildebrandt: > * Ralf Hildebrandt : > > Hi! > > > > I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to > > 2:2.2.28-1~auto+8) I now I'm getting an error: > > I was able to determine the last working version: 2:2.2.28-1~auto+6 > and the first "broken" version: 2:2.2.28-1~auto+7 2:2.2.28-1~auto+7 CHANGES file (http://xi.dovecot.fi/debian/pool/jessie-auto/dovecot-2.2/dovecot_2.2.28-1~auto+7_amd64.changes) says: New revision (a39b5b2852f2) in dovecot Git repository ... - lib-ssl-iostream: Ensure verify_remote_cert is true - lib-ssl-iostream: Fix ambiguity with SSL settings ... I think one of these two could be the culprit -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
* Ralf Hildebrandt: > Hi! > > I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to > 2:2.2.28-1~auto+8) I now I'm getting an error: I was able to determine the last working version: 2:2.2.28-1~auto+6 and the first "broken" version: 2:2.2.28-1~auto+7 -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de