Upgrade to 2.3.1 has failed

Aki Tuomi aki.tuomi at open-xchange.com
Fri Dec 14 07:19:55 EET 2018 

> On 14 December 2018 at 02:12 "C. Andrews Lavarre" <alavarre at gmail.com> wrote:
> 
> 
> Problem:
> We had Dovecot v2.2 working just fine under openSUSE Leap 42.3. But we
> upgraded openSUSE to Leap 15.0.
> In the process, Dovecot got upgraded from 2.2 to 2.3.1. It no longer
> works and I haven't figured out how to downgrade to the older working
> version.
> 
> The key issue seems to be the change to requiring dh.pem and changing s
> sl_protocols to ssl_min_protocols. I think I've navigated both
> correctly, but it still doesn't work.
> The error is
> 	     auth: Error: stats: open(old-stats-user) failed: Permission denied
> 
> 	as a consequence of which we get
> 		    imap-login: Error: Failed to initialize SSL server context: Can't
>     load SSL certificate: There is no valid PEM certificate.
> 
> We have followed the instructions at 	https://wiki.dovecot.org/S
> SL/DovecotConfiguration
> 	1. We have created /etc/dovecot/dh.pem (yes it took five
> hours) 
> 
> 	2. We have edited 10-ssl.conf as directed by the Wiki:
> 			    	    ssl = yes
> 			    	    ssl_cert =
>     /etc/certbot/live/privustech.com/fullchain.pem
> 			    	    ssl_key = /etc/certbot/live/privustech.com/privkey.pem
> 			    	    ssl_dh = /etc/dovecot
/dh.pem    	    #(yes, it took five hours to create...)


Hi! You should use

ssl_cert =</etc/certbot/live/privustech.com/fullchain.pem  
ssl_key =</etc/certbot/live/privustech.com/privkey.pem
ssl_dh =</etc/dovecot/dh.pem

> 			    	    ssl_min_protocol = TLSv1
> 			    	    ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH
> 			    	    ssl_prefer_server_ciphers = no
> 

You should set ssl_prefer_server_ciphers = yes. 

> 	3. We have checked 10-ssl.conf against the 2.3 default at
> 		https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf
> 
> 	4. We do NOT include the less than (<) symbol before the paths because then dovecot fails to load complaining it cannot find the files.
> 

Yes, this is probably indication that you are missing the files or are chrooting dovecot in unsupported way. Not including the < symbol will not help with this.

> 	5. we have checked all the pem keys, certificates, and  dh
> files with cat, they all exist and are in the expected hash format.
> 
> 	6. We have followed the instructions to set their permissions
> root:root 0444 and 0400 accordingly.
> 	7. We have rebooted the host.
>

This is correct.
 
> Any help or clues would be most appreciated.
> 
> Kind regards, Andy
>

More information about the dovecot mailing list