SSL no funciona debido al error "write:errno=104 no peer certificate available No client certificate CA names sent"

Created:

2016-11-16 13:22:10 UTC

Modified:

2017-08-16 22:25:34 UTC

6

Was this article helpful?


Have more questions?

Enviar una solicitud

SSL no funciona debido al error "write:errno=104 no peer certificate available No client certificate CA names sent"

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk 11.x for Linux

Síntomas

No es posible conectarse a SSL debido al siguiente mensaje de error:

# openssl s_client -connect <address>:993 -crlf
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 249 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

O bien:

# openssl s_client -connect <address>:995 -crlf
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

Causa

Uso de un certificado incorrecto para el servidor IMAP/POP3.

Resolución

  1. Compruebe qué certificado está usando Courier-IMAP:

    # grep 'TLS_CERTFILE' /etc/courier-imap/imapd-ssl
    TLS_CERTFILE=/usr/share/courier-imap/imapd.pem

    # grep 'TLS_TRUSTCERTS' /etc/courier-imap/pop3d-ssl
    TLS_TRUSTCERTS=/usr/share/courier-pop3d/pop3d.pem
  2. Verifique el contenido de este certificado:

    # cat /usr/share/courier-imap/imapd.pem
    -----BEGIN DH PARAMETERS-----
    MEYCQQCNzLSn7W8kIu6jgtc9W9i5Bz5uft2xlVegIOqZscP+MYcXm7jU0wstUKUP
    b9UZJmSGAIiIM/qK9aHCBA9w5cYjAgEC
    -----END DH PARAMETERS-----

    El certificado correcto debería empezar y acabar con lo siguiente (a modo de ejemplo):

    -----BEGIN CERTIFICATE-----
    MIIB8TCCAZsCBEUpHKkwDQYJKoZIhvcNAQEEBQAwgYExCzAJBgNVBAYTAlJPMQww
    ............
    ............
    eNpAIeF34UctLcHkZJGIK6b9Gktm
    -----END CERTIFICATE-----
    -----BEGIN RSA PRIVATE KEY-----
    MIICXgIBAAKBgQDv6i/mxtS2B2PjShArtOAmdRoEcCWa/LH1GcrbW14zdbmIqrxb
    ..........
    ..........
    faXRHcG37TkvglUZ3wgy6eKuyrDi5gkwV8WAuaoNct5j5w==
    -----END RSA PRIVATE KEY-----
  3. Modifique esta configuración para utilizar el certificado predeterminado presente en /usr/share/imapd.pem (y comente el anterior):

    grep 'TLS_CERTFILE' /etc/courier-imap/imapd-ssl
    ...
    #TLS_CERTFILE=/usr/share/courier-imap/imapd.pem
    TLS_CERTFILE=/usr/share/imapd.pem

    grep 'TLS_CERTFILE' /etc/courier-imap/pop3d-ssl
    #TLS_TRUSTCERTS=/usr/share/courier-pop3/pop3d.pem
    TLS_TRUSTCERTS=/usr/share/pop3d.pem
    1. Reinicie los servicios Courier-IMAP y Courier-POP3:

      service courier-imapd restart

      Stopping Courier IMAP server: [ OK ]Starting Courier IMAP server: [ OK ]

      /etc/init.d/courier-imaps restart

      Stopping Courier IMAP server with SSL/TLS support: [ OK ]Starting Courier IMAP server with SSL/TLS support: [ OK ]

      service courier-pop3s restart

      Stopping Courier POP3 server with SSL/TLS support: [ OK ]Starting Courier POP3 server with SSL/TLS support: [ OK ]

      service courier-pop3d restart

      Stopping Courier POP3 server: [ OK ]Starting Courier POP3 server: [ OK ]

¿Tiene más preguntas? Enviar una solicitud
Inicie sesión para dejar un comentario.