Re: Troubleshooting help

From: Willy Tarreau <>
Date: Thu, 22 Jan 2009 22:50:43 +0100

Hi Patrick,

On Thu, Jan 22, 2009 at 11:43:40AM +0100, Patrick Viet wrote:
> > Hi,
> >
> > I'm running two haproxy servers in front of my IMAP servers running
> > Dovecot. I've got some users getting intermittent "certificate cannot
> > be verified" errors when connecting to IMAP via SSL with various mail
> > clients. I've mailed the Dovecot list, but there weren't any errors in
> > the Dovecot logs, just a connection, no auth attempts and a disconnect
> > so I suspect it may have something to do with the connection to the
> > IMAP server. I've got debug logging enabled on haproxy, but it doesn't
> > provide much in the way of information besides the source and local
> > IP. Is there any further debug logging that can be done? Or
> > suggestions on what I can look for that might show me where the
> > problem is?
> Hi,
> HAProxy does not do any processing in tcp mode. It's just tcp connect
> -> tcp connect. If you activate more logging in haproxy all you will
> get are raw ssl packet dumps, which isn't too useful.
> As you write yourself the clients connects and doesn't approve of the
> certificat. So it doesn't try any auth. You should rather check if the
> clients aren't doing some kind of failed external check for the
> certificat. You could also activate more logging in dovecot.
> (debug1/2/3)
> Anyway nothing seems to show some problem with HAProxy. So just
> checkout your logs (source ip/port) and through the source port number
> you can get the correspondance between real source ip and dovecot log
> ...

In fact, there *might* be something : the connect timeout is set to 4 seconds, which only allow for one TCP retransmit. If one of the hosts is on another site with a little bit of packet loss, there are times where the connection attempt will time out and the client will get an empty reply, which it might translate into a certificate error.

Guy, please try to increase "timeout connect" to 15s for instance, and see if that helps.

Willy Received on 2009/01/22 22:50

This archive was generated by hypermail 2.2.0 : 2009/01/22 23:00 CET