"Can't load SSl Certificate" means dovecot is unable to fetch the ssl certificate files. Check the ownership and permissions on files as well as the containing directory. All should be owned by dovecot or any other user that is member of dovecot user group and can read the parent directories as well as the relative directory pem files.
My advice, is to copy the letsencrypt directory to a new directory and give it ownership and apply zero trust rule on permissions reserved for dovecot, so to avoid having to share the /etc/letsencrypt/live/radicale.camelopardus.nl/ directory with more than two, offered by owner:group model via exposing to the world, hence anyone had their hands on pem files with mitm proxy capability, can intercept dovecot communications.
Zak.
On 2025-08-03 11:59, jaap--- via dovecot wrote:
I am configuring a new mailserver. Postfix works and is getting configured according to our wishes.
Dovecot is more stubborn: for some reason I'm not able to understand, it refuses to "initialize SSL server context". complaining that "Can't load SSl Certificate". I believe I have configured the same certificate (and accompanying key) for imap-login that I use for https. But dovecot does not agree. I looked at error:14187180. All I found were errors on the configuration for the Certs cq Keys which I think I am avoiding .
Two questions: Please correct me if I'm wrong. Can you clarify dovecot's error message? Jaap
Server:
- Rocky Linux 9.6 kernel 5.14.0-570.28.1
- Dovecot 2.3.21.1
- Openssl 3.2.2
- Certbot 3.1.0
Https is functioning as expected: ssl-config:
- Include /etc/letsencrypt/options-ssl-apache.conf
- SSLCertificateFile /etc/letsencrypt/live/radicale.camelopardus.nl/fullchain.pem
- SSLCertificateKeyFile /etc/letsencrypt/live/radicale.camelopardus.nl/privkey.pem
- ssl_cert = test from client: openssl s_client -connect radicale.camelopardus.nl:https reply: *CONNECTED(00000003)* *depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1* *verify return:1* *depth=1 C = US, O = Let’s Encrypt, CN = E6* *verify return:1* *depth=0 CN = radicale.camelopardus.nl* *verify return:1*
Dovecot responds differently (for Thunderbird as well as) for openssl:
conf.d/10-ssl.conf:
- ssl_cert = * ssl_key = test: openssl s_client -connect radicale.camelopardus.nl:imaps reply: CONNECTED(00000003) write:errno=104 no peer certificate available
For both there is the same error in dovecot's log:
imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:14187180: SSL routines:ssl_do_config:bad value: section=system_default, cmd=Groups, arg=X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192: user=, rip=2a10:3781:5ab:1:ff51:cbd1:4d54:fb7b, lip=2a10:3781:5ab:10::aaf,
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
"Can't load SSl Certificate" means dovecot is unable to fetch the ssl certificate files. Check the ownership and permissions on files as well as the containing directory. All should be owned by dovecot or any other user that is member of dovecot user group and can read the parent directories as well as the relative directory pem files.
My advice, is to copy the letsencrypt directory to a new directory and give it ownership and apply zero trust rule on permissions reserved for dovecot, so to avoid having to share the /etc/letsencrypt/live/radicale.camelopardus.nl/ directory with more than two, offered by owner:group model via exposing to the world, hence anyone had their hands on pem files with mitm proxy capability, can intercept dovecot communications.
Zak.
On 2025-08-03 11:59, jaap--- via dovecot wrote:
I am configuring a new mailserver. Postfix works and is getting configured according to our wishes.
Dovecot is more stubborn: for some reason I'm not able to understand, it refuses to "initialize SSL server context". complaining that "Can't load SSl Certificate". I believe I have configured the same certificate (and accompanying key) for imap-login that I use for https. But dovecot does not agree. I looked at error:14187180. All I found were errors on the configuration for the Certs cq Keys which I think I am avoiding .
Two questions: Please correct me if I'm wrong. Can you clarify dovecot's error message? Jaap
Server:
- Rocky Linux 9.6 kernel 5.14.0-570.28.1
- Dovecot 2.3.21.1
- Openssl 3.2.2
- Certbot 3.1.0
Https is functioning as expected: ssl-config:
- Include /etc/letsencrypt/options-ssl-apache.conf
- SSLCertificateFile /etc/letsencrypt/live/radicale.camelopardus.nl/fullchain.pem
- SSLCertificateKeyFile /etc/letsencrypt/live/radicale.camelopardus.nl/privkey.pem
- ssl_cert =
test from client: openssl s_client -connect radicale.camelopardus.nl:https reply: *CONNECTED(00000003)* *depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1* *verify return:1* *depth=1 C = US, O = Let's Encrypt, CN = E6* *verify return:1* *depth=0 CN = radicale.camelopardus.nl* *verify return:1*
Dovecot responds differently (for Thunderbird as well as) for openssl:
conf.d/10-ssl.conf:
- ssl_cert =
- ssl_key =
test: openssl s_client -connect radicale.camelopardus.nl:imaps reply: CONNECTED(00000003) write:errno=104 no peer certificate available
For both there is the same error in dovecot's log:
imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:14187180: SSL routines:ssl_do_config:bad value: section=system_default, cmd=Groups,
arg=X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192:
user=<>, rip=2a10:3781:5ab:1:ff51:cbd1:4d54:fb7b, lip=2a10:3781:5ab:10::aaf,
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org