Page MenuHomekolab.org

Guam SSL error: certificate unknown
Open, HighPublic

Description

Hi All,

Could you suggest on blow error, i'm not able to understand.

> /var/log/guam/console.log <

2020-02-11 18:26:06.759 [error] <0.4317.0> SSL: certify: ssl_alert.erl:88:Fatal error: certificate unknown

> /var/log/guam/error.log <

2020-02-11 18:26:06.759 [error] <0.4317.0> SSL: certify: ssl_alert.erl:88:Fatal error: certificate unknown

> /var/log/guam/console.log <

2020-02-11 18:26:06.759 [error] <0.4282.0> gen_server <0.4282.0> terminated with reason: no match of right hand value {error,{tls_alert,"certificate unknown"}} in kolab_guam_session:accept_client/1 line 154

> /var/log/guam/error.log <

2020-02-11 18:26:06.759 [error] <0.4282.0> gen_server <0.4282.0> terminated with reason: no match of right hand value {error,{tls_alert,"certificate unknown"}} in kolab_guam_session:accept_client/1 line 154

> /var/log/guam/console.log <

2020-02-11 18:26:06.760 [error] <0.4282.0> CRASH REPORT Process <0.4282.0> with 0 neighbours exited with reason: no match of right hand value {error,{tls_alert,"certificate unknown"}} in kolab_guam_session:accept_client/1 line 154 in gen_server:terminate/7 line 812

> /var/log/guam/error.log <

2020-02-11 18:26:06.760 [error] <0.4282.0> CRASH REPORT Process <0.4282.0> with 0 neighbours exited with reason: no match of right hand value {error,{tls_alert,"certificate unknown"}} in kolab_guam_session:accept_client/1 line 154 in gen_server:terminate/7 line 812

> /var/log/guam/console.log <

2020-02-11 18:26:06.760 [error] <0.422.0> Supervisor {<0.422.0>,kolab_guam_listener} had child session started with {kolab_guam_session,start_link,undefined} at <0.4282.0> exit with reason no match of right hand value {error,{tls_alert,"certificate unknown"}} in kolab_guam_session:accept_client/1 line 154 in context child_terminated

> /var/log/guam/error.log <

2020-02-11 18:26:06.760 [error] <0.422.0> Supervisor {<0.422.0>,kolab_guam_listener} had child session started with {kolab_guam_session,start_link,undefined} at <0.4282.0> exit with reason no match of right hand value {error,{tls_alert,"certificate unknown"}} in kolab_guam_session:accept_client/1 line 154 in context child_terminated

> /var/log/guam/console.log <

2020-02-11 18:26:08.028 [error] <0.4327.0> SSL: certify: ssl_alert.erl:88:Fatal error: certificate unknown

> /var/log/guam/error.log <

2020-02-11 18:26:08.028 [error] <0.4327.0> SSL: certify: ssl_alert.erl:88:Fatal error: certificate unknown

Thanks,
Narendra L

Details

Ticket Type
Task

Event Timeline

laga423 created this task.Feb 20 2020, 7:45 AM
laga423 lowered the priority of this task from Needs Triage to High.Feb 27 2020, 5:42 PM

You need to supply Guam with a valid X.509 certificate (issued by Let's Encrypt, for example) and adapt the tls_config section of /etc/guam/sys.config accordingly.

Example excerpt from that file:

tls_config, [
    { certfile, "/etc/letsencrypt/live/example.org/fullchain.pem" },
    { cacertfile, "/etc/letsencrypt/live/example.org/fullchain.pem" },
    { keyfile, "/etc/letsencrypt/live/example.org/privkey.pem" }
]

Here's an example of a more complex tls_config I use on my servers (using certbot + letsencrypt):

tls_config, [
    { certfile, "/etc/letsencrypt/live/imap.example.net/cert.pem" },
    { cacertfile, "/etc/letsencrypt/live/imap.example.net/chain.pem" },
    { keyfile, "/etc/letsencrypt/live/imap.example.net/privkey.pem" },
    { dhfile, "/etc/ssl/private/dh2048.pem" },
    { versions, ['tlsv1.2', 'tlsv1.1', tlsv1] },
    { honor_cipher_order, true },
    {
        ciphers, [
            "ECDHE-ECDSA-AES256-SHA384",
            "ECDHE-RSA-AES256-SHA384",
            "ECDH-ECDSA-AES256-SHA384",
            "ECDH-RSA-AES256-SHA384",
            "DHE-RSA-AES256-SHA256",
            "AES256-SHA256",
            "ECDHE-ECDSA-AES128-SHA256",
            "ECDHE-RSA-AES128-SHA256",
            "ECDH-ECDSA-AES128-SHA256",
            "ECDH-RSA-AES128-SHA256",
            "DHE-RSA-AES128-SHA256",
            "AES128-SHA256",
            "ECDHE-ECDSA-AES256-SHA",
            "ECDHE-RSA-AES256-SHA",
            "DHE-RSA-AES256-SHA",
            "ECDH-ECDSA-AES256-SHA",
            "ECDH-RSA-AES256-SHA",
            "AES256-SHA",
            "ECDHE-ECDSA-AES128-SHA",
            "ECDHE-RSA-AES128-SHA",
            "DHE-RSA-AES128-SHA",
            "ECDH-ECDSA-AES128-SHA",
            "ECDH-RSA-AES128-SHA",
            "AES128-SHA"
        ]
    }
]
pasik added a subscriber: pasik.Apr 3 2020, 5:56 PM