This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrade from 17 MR1 to MR2 breaks ImapPOP daemon

Dear All,

I am quite busy during this months and I am not following the community (sorry about that to all users). Today I found the time to upgrade XG to latest MR (from 17 MR1 to MR2) and the POPIMAP daemon does not start.

See the screenshot.

Running services -S from advanced shell reports this status:

The warren service does not start. If I try to start it using the service command, the output is:

service warren:start -dsnosync
503 Service Failed

More info from warren.log file:

Regards

This thread was automatically locked due to age.

Parents

0 ChrisKnight over 6 years ago

Hi Luk,

Check the certificate binding for IMAPS/POPS in your config.

The default is to use the SecurityAppliance CA certificate.

Here's the extract from a working /cfs/prxoy/warren/conf/policy.conf file (removing the ssl_password entry):

POPS_IMAPS_SSL { ssl_deny_invalid_cert off ssl_trusted_cacert_dir "/conf/certificate/cacerts/" ssl_cert_file "/conf/certificate/cacerts/SecurityAppliance_SSL_CA.pem" ssl_key_file "/conf/certificate/caprivate/SecurityAppliance_SSL_CA.key" ssl_password "*****" OEM_value "SecurityAppliance" }
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 ChrisKnight over 6 years ago

Hi Luk,

Check the certificate binding for IMAPS/POPS in your config.

The default is to use the SecurityAppliance CA certificate.

Here's the extract from a working /cfs/prxoy/warren/conf/policy.conf file (removing the ssl_password entry):

POPS_IMAPS_SSL { ssl_deny_invalid_cert off ssl_trusted_cacert_dir "/conf/certificate/cacerts/" ssl_cert_file "/conf/certificate/cacerts/SecurityAppliance_SSL_CA.pem" ssl_key_file "/conf/certificate/caprivate/SecurityAppliance_SSL_CA.key" ssl_password "*****" OEM_value "SecurityAppliance" }
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 lferrara over 6 years ago in reply to ChrisKnight

ChrisKnight,

the certificate used by XG depends on the initial configuration. Mine is coming from v15 and default CA was used since then. Anyway I was able to fix it by switching to default_SSL_CA, restart the warren service from advanced shell, switch back the default CA and then restart the service again.

During the upgrade, the XG lost something.

It was working good since MR1.

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 ChrisKnight over 6 years ago in reply to lferrara

The upgrade screwed over the policy.conf file.

There's no way you should have the private key for a third party public CA certificate. If you do then someone's CA signing and distribution process is horribly, horribly broken.
Cancel
Vote Up 0 Vote Down

Cancel
0 Big_Buck over 6 years ago in reply to ChrisKnight

I'm about to come to the conclusion the only reliable way to upgrade XG is to Backup, then wipe all configs to zero, upgrade, then import backup.
Cancel
Vote Up 0 Vote Down

Cancel