SSL is not working: write:errno=104 no peer certificate available No client certificate CA names sent

Created:

2016-11-16 13:22:10 UTC

Modified:

2017-08-16 22:25:34 UTC

6

Was this article helpful?


Have more questions?

Submit a request

SSL is not working: write:errno=104 no peer certificate available No client certificate CA names sent

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk 11.x for Linux

Symptoms

Unable to connect to SSL due the following error message:

# openssl s_client -connect <address>:993 -crlf
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 249 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

OR

# openssl s_client -connect <address>:995 -crlf
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

Cause

Incorrect certificate is used for IMAP/POP3 server.

Resolution

  1. Check which certificate is in use by Courier-IMAP:

    # grep 'TLS_CERTFILE' /etc/courier-imap/imapd-ssl
    TLS_CERTFILE=/usr/share/courier-imap/imapd.pem

    # grep 'TLS_TRUSTCERTS' /etc/courier-imap/pop3d-ssl
    TLS_TRUSTCERTS=/usr/share/courier-pop3d/pop3d.pem
  2. Check content of this certificate:

    # cat /usr/share/courier-imap/imapd.pem
    -----BEGIN DH PARAMETERS-----
    MEYCQQCNzLSn7W8kIu6jgtc9W9i5Bz5uft2xlVegIOqZscP+MYcXm7jU0wstUKUP
    b9UZJmSGAIiIM/qK9aHCBA9w5cYjAgEC
    -----END DH PARAMETERS-----

    Correct certificate should be started and ended with the following (example):

    -----BEGIN CERTIFICATE-----
    MIIB8TCCAZsCBEUpHKkwDQYJKoZIhvcNAQEEBQAwgYExCzAJBgNVBAYTAlJPMQww
    ............
    ............
    eNpAIeF34UctLcHkZJGIK6b9Gktm
    -----END CERTIFICATE-----
    -----BEGIN RSA PRIVATE KEY-----
    MIICXgIBAAKBgQDv6i/mxtS2B2PjShArtOAmdRoEcCWa/LH1GcrbW14zdbmIqrxb
    ..........
    ..........
    faXRHcG37TkvglUZ3wgy6eKuyrDi5gkwV8WAuaoNct5j5w==
    -----END RSA PRIVATE KEY-----
  3. Change this configuration to use default certificate located in /usr/share/imapd.pem (and comment the old one):

    grep 'TLS_CERTFILE' /etc/courier-imap/imapd-ssl
    ...
    #TLS_CERTFILE=/usr/share/courier-imap/imapd.pem
    TLS_CERTFILE=/usr/share/imapd.pem

    grep 'TLS_CERTFILE' /etc/courier-imap/pop3d-ssl
    #TLS_TRUSTCERTS=/usr/share/courier-pop3/pop3d.pem
    TLS_TRUSTCERTS=/usr/share/pop3d.pem
    1. Restart Courier-IMAP and Courier-POP3 services:

      service courier-imapd restart

      Stopping Courier IMAP server: [ OK ]Starting Courier IMAP server: [ OK ]

      /etc/init.d/courier-imaps restart

      Stopping Courier IMAP server with SSL/TLS support: [ OK ]Starting Courier IMAP server with SSL/TLS support: [ OK ]

      service courier-pop3s restart

      Stopping Courier POP3 server with SSL/TLS support: [ OK ]Starting Courier POP3 server with SSL/TLS support: [ OK ]

      service courier-pop3d restart

      Stopping Courier POP3 server: [ OK ]Starting Courier POP3 server: [ OK ]

Have more questions? Submit a request
Please sign in to leave a comment.