Multidomain / IP Address Setup (Dovevot 2.2.10 on CentOS7 ) is failing: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM
dravion.smith at gmx.net
dravion.smith at gmx.net
Sat Aug 15 01:22:47 UTC 2015
Hello Alex
Am 14.08.2015 um 19:57 schrieb Alexander Dalloz:
> What have you done to exclude that SELinux interferes?
>
Just some sysinfo:
CentOS Linux release 7.1.1503 (Core) (i run yum update every day)
sestatus:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
>
> Run "ausearch -m avc" to check for AVCs.
There is no indication SELinux is blocking somewhat
grep "SELinux is preventing" /var/log/messages
grep "denied" /var/log/audit/audit.log
ausearch -m avc shows no deniead messages
>
>> ### This works (Thunderbird, Outlook 2013, Opera Mail ect.) ####
>>
>> local mydomain01.tld {
>>
>> protocol imap {
>> ssl_cert =
>> </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.crt.pem
>> ssl_key =
>> </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.key.pem
>> }
>>
>> }
>>
Sorry the above has some typo errors, forget it.
Ok, this works well:
Configfile: /etc/dovecot/conf.d/10-ssl.conf
protocol imap {
ssl_cert =
</etc/ssl/domains/mydomain01.tld/imap/imap.mydomain01.tld.crt.pem
ssl_key =
</etc/ssl/domains/mydomain01.tld/imap/imap.mydomain01.tld.key.pem
}
if i change it to
protocol imap {
ssl_cert =
</etc/ssl/domains/mydomain02.tld/imap/imap.mydomain02.tld.crt.pem
ssl_key =
</etc/ssl/domains/mydomain02.tld/imap/imap.mydomain02.tld.key.pem
}
This works well to (i can connect from a Windows box, with Mozilla
Thunderbird, Microsoft Outlook 2013
an IMAP Folders are showing, EMail sending and receiving is working and
the logs are show no error.
#### BUT ####
If i try something like this in /etc/dovecot/conf.d/10-ssl.conf
local imap.mydomain01.tld {
protocol imap {
ssl_cert =
</etc/ssl/domains/mydomain01.tld/imap/imap.mydomain01.tld.crt.pem
ssl_key =
</etc/ssl/domains/mydomain01.tld/imap/imap.mydomain01.tld.key.pem
}
}
local imap.mydomain01.tld {
protocol imap {
ssl_cert =
</etc/ssl/domains/mydomain02.tld/imap/imap.mydomain02.tld.crt.pem
ssl_key =
</etc/ssl/domains/mydomain02.tld/imap/imap.mydomain02.tld.key.pem
}
}
It throws errors like this
"imap-login "parse private ssl_key: error:0906D06C:PEM"
in the logfile /var/maillog
The certs are accepted each in single domainmode but failing in
multidomain mode.
I have checked if local_name works (SNI) with the fully DNS Domainname
or just the IP-Address
but this doesnt show any effects. Multidomainmode of Dovecot is
Notes:
The certs are StartSSL Domain validated free certs, pointing to
imap.mydomain01.tld and imap.mydomain02.tld
In single Domain mod like explained abow any of the two certificate is
accepted and Thunderbird and Outlook
accepting the certs as StartSSL without any warning or error message.
ps:
imap.mydomain01.tld.key begins with -----BEGIN RSA PRIVATE KEY----- and
ends with -----END RSA PRIVATE KEY-----
imap.mydomain02.tld.key begins with -----BEGIN RSA PRIVATE KEY----- and
ends with -----END RSA PRIVATE KEY-----
ps2:
There was a hint on some website thadt dovecot needs the certs in a
single *.pem file because the implementation of SNI
and related code "was poorly implemented".
Thanks , Drav
More information about the dovecot
mailing list