mail_crypt_global_private_key: Couldn't parse private key: Unknown/invalid PEM key type

Aki Tuomi aki.tuomi at open-xchange.com
Sat Feb 20 12:38:00 EET 2021 

Can you tell us what you did differently?

Aki

On 20 February 2021 11.33.15 EET, Antti Antinoja <reader at fennosys.fi> wrote:
>Got it! My private test key was in wrong format.
>
>Cheers,
>Antti
>
>On Sat, 20 Feb 2021 14:15:07 +0800
>Antti Antinoja <reader at fennosys.fi> wrote:
>
>> Version: Dovecot 2.3.13 (89f716dc2)
>> 
>> Issue: Dovecot states it can't parse the private key
>> 
>> = Background =
>> 
>> == Creating private EC key ==
>> 
>> * Curve: secp521r1
>> * Encryption: aes-256-ctr
>> * Format: pkey
>> * Enacapsulation: Base64
>> 
>>   # openssl ecparam -name secp521r1 -genkey | openssl pkey |\
>>     openssl ec -aes-256-ctr | base64 -w0 >
>test_keys_remove/private_key_encrypted.pem
>> 
>> == Extract public key ==
>> 
>>   # cat test_keys_remove/private_key_encrypted.pem | base64 -d |\
>>     openssl ec -pubout | base64 -w0 > test_keys_remove/public_key.pem
>> 
>> == Checking keys ==
>> 
>> * 592 Feb 20 07:27 private_key_encrypted.pem:
>>
>LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K
>> 
>> * 360 Feb 20 07:28 public_key.pem:
>>
>LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SExUTWFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
>> 
>> == Notes ==
>> 
>> * The keys are then saved in database and fetched to userdb by
>Dovecot via passdb lookup (Details in the logs)
>> * mail-crypt settings:
>> 
>>     mail_plugins = $mail_plugins mail_crypt
>>     plugin {
>>         mail_crypt_curve = secp521r1
>>         mail_crypt_save_version = 0
>>     }
>> 
>> * Note: User record on database has mail_crypt_save_version = 2 as
>can be seen from the log extract below.
>> 
>> = Dovecot log on client IMAP message retrieval =
>> 
>> Feb 20 07:45:01 pf1 dovecot[19612]: auth: Debug:
>sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Performing passdb lookup
>> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug:
>sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Finished passdb lookup
>> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug:
>auth(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Auth request finished
>> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: client passdb out:
>OK  1       user=test1 at g1.fi        
>> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug:
>sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Performing userdb lookup
>> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug:
>sql(test1 at g1.fi,x.x.x.x,<wFzVEb67CMQKZgkb>): Finished userdb lookup
>> Feb 20 07:45:02 pf1 dovecot[19612]: auth: Debug: master userdb out:
>USER        1609957377      test1 at g1.fi    
>mail_crypt_global_private_password=key_pass_we_know_this_is_correct
>mail_crypt_global_private_key=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K
>mail_crypt_global_public_key=LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SEx
> UT
>> 
>WFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
>mail_crypt_save_version=2       quota_rule=*:bytes=0   
>home=/var/vmail/g1.fi/test1     uid=10000       gid=10000      
>auth_mech=PLAIN auth_token=66d2d0f66bcce2758235fb53dbfe821804c6e79c
>> Feb 20 07:45:02 pf1 dovecot[19612]: imap-login: Login:
>user=<test1 at g1.fi>, method=PLAIN, rip=x.x.x.x, lip=y.y,y,y, mpid=19618,
>TLS, session=<wFzVEb67CMQKZgkb>
>> Feb 20 07:45:02 pf1 dovecot[19612]:
>imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb
>setting:
>plugin/mail_crypt_global_private_key=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ1RSLEY3QzRCMUU3MDQxRDBBNDU1QjFGOUUwODA0NkRBNDAxCgpQdGE4T0F0QTN1anYwdlNNY3RpSGlUZDJqMEdTU2R6VjU3UUdtVXdDTU1RcDdRb3FCSHQvZERNRVBiUEY1bEcxCmowUER1NS9GVnVUdFVsUlpTMTYrTlNXaW9yZ2t2VkhUaDMrNDd0eC91dmlRd1FQLzQzdEVhRnBmNzdTQVpsRHcKeEIyU2pNNFp2MWhkU3BqeFdER0dKRkJEdi8yL2RqOVVwVHh3a0F3dVgrUVFoUmxWelN5cjBCQVhHOXlPcS9HVAp3czhRNUdldnp2SEdoMVl5UGdwTDlqdGJpekdJYTRVUzBmN2hFZkdHSGZKLzNSSWR6MHhlaWh2OEdhMGh1ajQ4CmRTL1FTY0U3QnYrWW16emNnMmRsdlk5Nkc1eFJJT3dCOEFEd1IvbHdidz09Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K
>> Feb 20 07:45:02 pf1 dovecot[19612]:
>imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb
>setting: plugin/mail_crypt_global_private_password=<hidden>
>> Feb 20 07:45:02 pf1 dovecot[19612]:
>imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb
>setting:
>plugin/mail_crypt_global_public_key=LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHYk1CQUdCeXFHU000OUFnRUdCU3VCQkFBakE0R0dBQVFBK2w2M0ZIckpuT0dPZ1lDTG5PRVpOaHpSdW5YWgpoMHd5dTNPS1VzSEozUDJPVWxNWmxKOFFjZTF0SExUTWFxMWxkOTIwbkdJQmo1TGNYUklVdWRweElTd0I2Tld0Ck1TWncrZFBEUVRjc0hQMFRqWUh5Njl4d25BZHV4ZHZYdnh0Uk5TRzZGNlJPUnR0L2t2ekk3bWRPM0NpQ1FyMTQKTjZWalZyYWVpaXZkR2dPQ250bz0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
>> Feb 20 07:45:02 pf1 dovecot[19612]:
>imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb
>setting: plugin/=2
>> Feb 20 07:45:02 pf1 dovecot[19612]:
>imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Debug: Added userdb
>setting: plugin/quota_rule=*:bytes=0
>> Feb 20 07:45:02 pf1 dovecot[19612]:
>imap(test1 at g1.fi)<19618><wFzVEb67CMQKZgkb>: Error: mail_crypt_plugin:
>mail_crypt_global_private_key: Couldn't parse private key:
>Unknown/invalid PEM key type
>> 
>> == Question ==
>> 
>> Any idea why Dovecot can't parse the private key?
>> 
>> I tested this with several keys. Even with some without encryption ->
>Always same error.
>> 
>> According to the debug messages the private key is correctly loaded
>(and indeed matches the one created on command line).
>> 
>> Thank you for your time.
>> 
>> Cheers,
>> Antti
>> 
>> -- 
>> Antti Antinoja <reader at fennosys.fi>
>
>
>-- 
>Antti Antinoja <reader at fennosys.fi>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210220/88b2ae4b/attachment.html>

More information about the dovecot mailing list