On 20.08.2018 14:32, Kai Schaetzl wrote:
Aki Tuomi wrote on Sun, 19 Aug 2018 20:56:28 +0300 (EEST):
openssl gendh 4096 > params.pem Ok. I then misunderstood what's written at https://wiki.dovecot.org/SSL/DovecotConfiguration
I thought I need to create dh.pem in two steps:
- openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat
- dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
That's what I did on the first installation. ssl-parameters.dat already existed and I just used the second command to transform it. Now I thought I must have had generated ssl-parameters.dat with the first command back then. But apparently I haven't.
Now I was trying to make steps 1 and 2 and that fails because the generated ssl-parameters.dat is apparently not the format expected.
Basically openssl dhparam 4096 > /etc/dovecot/dh.pem would do the trick? I misread that from the wiki.
Yes. ssl-parameters.dat is a file which contains the generated parameters, and the dd trick is to just to save some time, it basically extracts the DER formatted parameters there and convert them into PEM. ssl-parameters.dat file is not used by Dovecot in any way after 2.3.0
Aki
Before reading your reply I checked https://www.openssl.org/docs/man1.0.2/apps/dhparam.html and tried this command: openssl dhparam -outform DER -out /etc/dovecot/dh-new.pem -2 4096 (after reading Alexander's reply). It just finished and dovecot seems to be working with it, although it's got no DH header line. At least dovecot doesn't complain when starting up. Anyway, I'll now reuse the dh.pem from no. 1 on the other machines.
Thanks for the help!
Kai