Connection to storage server failed.



  • Hi, I installed Kolab 16 on CentOS 7.
    I worked fine first, but since I installed my Server Certificate, I can't login to roundcubemail anymore.
    It says: "Connection to storage server failed"

    I can still log on to the Kolab Web Admin Panel over https, though.
    When I remove the 80>443-rewrite-part in the apache config and try to log on with http instead, I get the same error.

    Where should I start looking for the problem?

    If I enter kolab lm, I get:
    2016-05-03 14:41:53,540 pykolab.imap WARNING Could not connect to Cyrus IMAP server 'imaps://localhost:993'

    Thanks for reading,
    Roland.

    EDIT:
    kolab-saslauthd ist running, testsaslauthd -u cyrus-admin -p 'xx' works also, but the service dirsrv@kolab is not running and can't be started:

    May 03 15:08:19 master.xx.net systemd[1]: Failed to load environment files: No such file or directory
    May 03 15:08:19 master.xx.net systemd[1]: dirsrv@kolab.service failed to run 'start' task: No such file or directory
    May 03 15:08:19 master.xx.net systemd[1]: Failed to start 389 Directory Server kolab..

    EDIT2:
    The LDAP service seems ok, too. I did a
    systemctl status dirsrv@master
    which is fine. I guess I don't need that other dirsrv@kolab, do I ?



  • #cat /var/log/dirsrv/slapd-kolab/errors
    replace slapd-kolab to slapd-[yourinstance] in this command.

    #cat /var/log/roundcubemail/errors

    #cat /var/log/maillog

    #netstat -nlpt



  • slapd and roundcube don't show any errors.

    This is the maillog:

    May 3 16:24:12 master imaps[15339]: unable to get certificate from '/etc/letsencrypt/live/master.x.net/cert.pem'
    May 3 16:24:12 master imaps[15339]: TLS server engine: cannot load cert/key data, may be a cert/key mismatch?
    May 3 16:24:12 master imaps[15339]: error initializing TLS

    Actually, this is the first time I'm trying to get a certificate into IMAPS, so that might be the problem. ;-) In Apache I needed to add the Chain-File as well, but I don't know how to do that in the imapd.conf.

    [root@master etc]# netstat -nlpt
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 2620/amavisd (maste
    tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 2457/mongod
    tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 1423/master
    tcp 0 0 127.0.0.1:9993 0.0.0.0:* LISTEN 1230/cyrus-master
    tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 2551/python
    tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 991/mysqld
    tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 1423/master
    tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 1423/master
    tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 530/beam.smp
    tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 608/epmd
    tcp 0 0 0.0.0.0:60471 0.0.0.0:* LISTEN 530/beam.smp
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1423/master
    tcp 0 0 0.0.0.0:30333 0.0.0.0:* LISTEN 533/sshd
    tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN 1230/cyrus-master
    tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 530/beam.smp
    tcp6 0 0 ::1:10024 :::* LISTEN 2620/amavisd (maste
    tcp6 0 0 :::587 :::* LISTEN 1423/master
    tcp6 0 0 :::8080 :::* LISTEN 547/node
    tcp6 0 0 :::80 :::* LISTEN 529/httpd
    tcp6 0 0 :::25 :::* LISTEN 1423/master
    tcp6 0 0 :::443 :::* LISTEN 529/httpd
    tcp6 0 0 :::30333 :::* LISTEN 533/sshd
    tcp6 0 0 :::4190 :::* LISTEN 1230/cyrus-master
    tcp6 0 0 :::389 :::* LISTEN 2393/ns-slapd



  • cyrus and 389ds is up and listen ports , here all ok.
    let's play with certs.

    show configs and places where you wrote path to ssl certs.
    Did you install it for Apache only? or for Postfix? for Cyrus or..?)
    And could you also make simple pair of key/cert files without bundle.



  • It works now.
    I copied the certs to another directory, where everyone has access and changed the imapd.conf.
    However, that's not the way to do it.

    How do it make the cyrus daemon get access to my certs-directory?

    I installed the certs correctly in Apache and it seems to work in Cyrus now as well (except for the access part) and I also changed the postfix conf, but I didn't check if that works correctly yet.



  • @rolandg said:

    How do it make the cyrus daemon get access to my certs-directory?

    Cyrus have 2 config files
    /etc/cyrus.conf
    /etc/imapd.conf

    Just write path to your certs in imapd.conf



  • Well, that's what I did, of course.
    Just didn't work out of the box with the letsencrypt certificates.

    I added some ACLs, so that the user cyrus can access them and it works now.

    Thanks for helping!



  • @rolandg: Can you please tell me what it was exactly for you?

    Looks like have the same error.

    Postfix - Check
    Apache - Check
    Cyrus - still deliver the localhost.localdomain cert and brings the error in the maillog:
    May 23 21:35:27 post imaps[6007]: unable to get private key from '/etc/letsencrypt/live/post.example.org/privkey.pem'
    May 23 21:35:27 post imaps[6007]: TLS server engine: cannot load cert/key data, may be a cert/key mismatch?
    May 23 21:35:27 post imaps[6007]: error initializing TLS



  • What I did was the following:

    setfacl -m u:cyrus:r cert.pem
    setfacl -m u:cyrus:r privkey.pem

    Then you can check, if cyrus can access the key with:

    su -s /bin/bash cyrus -c "cat /etc/letsencrypt/live/mail.example.com/privkey.pem"

    Today I had the error again.
    I updated the server and I rebooted it, and now it works - don't know what's wrong with it ... ;-)


Log in to reply