Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Erich Wetzel
Erich Wetzel Author
User level: Level 2
384 points

TLS server engine: cannot load CA data

This problem appears elsewhere in this forum but it looks like no one has an answer for it. Does anyone have any idea what causes this:

10.4.8 clients and server. Self signed SSL certificate. Firewall open on port 995. Try to connect using www.domain.com:995/webmail and servername.domain.com:995/webmail. Server response: * BYE Fatal error: tls startservertls() failed - and of course no connection. Log below.

Any idea how to resolve this? Thanks for your time - Erich

Nov 23 00:17:56 mail imaps[4836]: TLS server engine: cannot load CA data
Nov 23 00:17:56 mail imaps[4836]: imaps TLS negotiation failed: pool-71-162-240-210.phlapa.fios.verizon.net [71.162.240.210]
Nov 23 00:17:56 mail imaps[4836]: Fatal error: tls startservertls() failed
Nov 23 00:17:56 mail imaps[4837]: TLS server engine: cannot load CA data
Nov 23 00:17:56 mail imaps[4837]: imaps TLS negotiation failed: pool-71-162-240-210.phlapa.fios.verizon.net [71.162.240.210]
Nov 23 00:17:56 mail imaps[4837]: Fatal error: tls startservertls() failed

G5 DP 2.3, Mac OS X (10.4.8)

Posted on Nov 23, 2006 6:52 PM

Reply
6 replies
User profile for user: pterobyte
pterobyte
User level: Level 6
11,098 points

Nov 24, 2006 3:39 AM in response to Erich Wetzel

Why are you trying to connect to webmail over port 995?
995 is to be used by a POP client for a secure connection. IMAP would be 993, but again for a connection by an IMAP client. In other words, webmail will use 993 to connect to the IMAP server (if setup properly).

However the user should still connect via port 80 (or 443 for website SSL) to webmail.

What you are doing is trying to connect with a web browser to an POP server. Will not work (unless you have changed all your ports, which would not be a good idea).

Alex
Reply
User profile for user: Erich Wetzel
Erich Wetzel Author
User level: Level 2
384 points

Nov 24, 2006 5:37 AM in response to pterobyte

Good point. In my haste, I typed the wrong port number. Everything above still applies but with a connection on port 993.

Trying to do this directly to see if the connection works before redirecting webmail to 993 from 443 website SSL currently being used.

Just want to get set up in a "standard" way so that changes or adjustments will be similar to what others with "standard" setups see.

Another point, the TLS error lines also show up in the POP log.
Reply
User profile for user: pterobyte
pterobyte
User level: Level 6
11,098 points

Nov 24, 2006 5:56 AM in response to Erich Wetzel

Good point. In my haste, I typed the wrong port
number. Everything above still applies but with a
connection on port 993.

Even so, we are talking different protocols here.
Use a client or telnet to test.

Trying to do this directly to see if the connection
works before redirecting webmail to 993 from 443
website SSL currently being used.

Webmail should not be redirected!
Browser-Port443-SquirrelMail-Port993-IMAP server.

Besides if Squirrelmail and Cyrus are on the same server, using SSL from squirrelmail to IMAP is pointless as there is no network traffic. It only makes sense for IMAP clients that connect over a network.
Reply
User profile for user: sjack
sjack
User level: Level 1
0 points

Jan 1, 2007 11:51 PM in response to Erich Wetzel

I'm experiencing the same problem and really need a solution. The situation: looking to get secure imap up, we're open on port 993

$ netstat -an | egrep "\*.993"
tcp4 0 0 *.993 . LISTEN
tcp6 0 0 *.993 . LISTEN

and we've got cyrus waiting for connections:

$ lsof -i | egrep imaps
master 5961 cyrusimap 14u IPv6 0x360ad1c 0t0 TCP *:imaps (LISTEN)
master 5961 cyrusimap 17u IPv4 0x3b6a018 0t0 TCP *:imaps (LISTEN)

we've got a self-signed certificate created in Server Admin, and also via SA, we direct the mail service to use that certificate (i.e., the tls certfile and tls keyfile entries in /etc/imapd.conf are pointing the corresponding entries in /etc/certificates). But then: attempts to connect via a client (Mail.app) generate the following in /var/log/mailaccess.log:

Jan 1 23:38:18 tamarama master[5968]: about to exec /usr/bin/cyrus/bin/imapd
Jan 1 23:38:18 tamarama imaps[5968]: executed
Jan 1 23:38:18 tamarama imaps[5968]: accepted connection
Jan 1 23:38:18 tamarama imaps[5968]: TLS server engine: cannot load CA data
Jan 1 23:38:18 tamarama imaps[5968]: imaps TLS negotiation failed: XXX.stanford.edu [171.66.XXX.XXX]
Jan 1 23:38:18 tamarama imaps[5968]: Fatal error: tls startservertls() failed
Jan 1 23:38:18 tamarama imaps[5968]: AOD: user opts: cleaning up user options structure
Jan 1 23:38:18 tamarama master[5961]: process 5968 exited, status 75
Reply

TLS server engine: cannot load CA data

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up