VS: Dovecot stops responding when I update SSL certificate
Aki Tuomi
aki.tuomi at dovecot.fi
Sat Mar 5 06:00:21 UTC 2016
Did you change dh parameter size as well? This causes dh generation which can take some time.
---Aki TuomiDovecot oy-------- Alkuperäinen viesti --------Lähettäjä: HotSlots Webmaster <webmaster at hotslots132.com> Päivämäärä: 5.3.2016 4.10 (GMT+02:00) Saaja: dovecot at dovecot.org Aihe: Dovecot stops responding when I update SSL certificate
Dovecot 2.2.18
CentOS 6.7 (x86_64)
Plesk 12.5.30
I have had Dovecot working fine with SSL for nearly two years now. It's
time to renew the SSL certificate, so I did (same CA). The new
certificate works fine in Apache and Postfix. But when I update Dovecot
to use the same certificate, and restart the server, Dovecot stops
responding to connects. I have triple-checked that the ssl_cert and
ssl_key files are correct - all I did was change the names in the conf
file. There's nothing in the log. I have tried various SSL tests but
either they don't work (unspecific error) or they tell me nothing is
wrong (and show the correct certificate.) I am running out of time to
find a solution to this - what else can I look for?
The one difference for the certificates is that I opted for one with a
SHA256 root rather than SHA1 root. I have separately used a tool to
verify that the certificate and private key match.
Here is the end of the dovecot -n file that mentions SSL:
ssl = required
ssl_cert = </etc/pki/tls/certs/hotslots-cert.pem
ssl_cipher_list =
EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/hotslots-private.pem
ssl_protocols = TLSv1.1 TLSv1.2 !TLSv1
userdb {
args = uid=popuser gid=popuser
driver = static
}
protocol imap {
mail_plugins = " quota imap_quota"
}
protocol pop3 {
pop3_uidl_format = UID%u-%v
}
protocol lda {
mail_plugins = " quota sieve"
}
(The !TLSv1 doesn't seem to be honored - I tried it with and without
that. A problem for later.)
Thanks for any help.
Steve L
More information about the dovecot
mailing list