Debugging SSL problems with Cyrus IMAP

When replacing an expired or setting up a new SSL certificate with Cyrus IMAP server the following error message can be encountered:
TLS server engine: cannot load CA data

This by itself is not very helpful and normally this problem is caused by incorrect permissions or file names. The Cyrus IMAP user or group (normally cyrus:cyrus) will need access to the SSL certificate, CA and key files.

The configuration file for Cyrus IMAP lives in /etc/imapd.conf and the following lines detail where it should get it's SSL certificates and key from:

tls_cert_file: /etc/mail/certs/www.site.com.crt
tls_key_file: /var/imap/www.site.com.key
tls_ca_file: /etc/mail/certs/ca.crt

To find out the exact problem, run the following command to watch the logs when Cyrus starts up:

tail -f /var/log/{syslog,messages,debug}

This will produce similar output to the example below once Cyrus is started (in another terminal).

==> /var/log/messages <==
Jan 15 22:43:30 www imaps[1596]: TLS server engine: cannot load CA data

==> /var/log/syslog <==
Jan 15 22:43:30 www imaps[1596]: unable to get certificate from '/etc/mail/certs/www.site.com.crt'
Jan 15 22:43:30 www imaps[1596]: TLS server engine: cannot load cert/key data
Jan 15 22:43:30 www imaps[1596]: error initializing TLS
Jan 15 22:43:30 www imaps[1596]: Fatal error: tls_init() failed

==> /var/log/debug <==
Jan 15 22:43:30 www master[1596]: about to exec /usr/libexec/cyrus/imapd
Jan 15 22:43:30 www imaps[1596]: SQL backend defaulting to engine 'sqlite'
Jan 15 22:43:30 www imaps[1596]: executed
Jan 15 22:43:30 www imaps[1596]: accepted connection
Jan 15 22:43:30 www master[1576]: process 1596 exited, status 75
Jan 15 22:43:30 www master[1576]: service imaps pid 1596 in BUSY state: terminated abnormally

The log line that is particularly of interest is:

Jan 15 22:43:30 www imaps[1596]: unable to get certificate from '/etc/mail/certs/www.site.com.crt'

Now we can check if this file exists and it is readable by the Cyrus user. Once this has been corrected repeat the process until no TLS error is shown, then try connecting via IMAP with SSL.

Last updated: 15/01/2015