RE: ee key too small

Hello,

my private key is 4096 bit.

I added also ca_file = /etc/pki/tls/certs/cacert.pem, but it did not help either.

Marek

štvrtok 20. novembra 2025, 16:27, Aki Tuomi <aki.tuomi@open-xchange.com> napísal/a:

Hi!

Your private key must be large enough.

Aki

...

On 20/11/2025 17:07 EET Marek Greško via dovecot <dovecot@dovecot.org> wrote:

I tried even with root ca and the same result.

Marek

Odoslané pomocou bezpečného emailu Proton Mail.

štvrtok 20. novembra 2025, 16:04, Marek Greško <marek.gresko@protonmail.com> napísal/a:

...

Including root CA?

Marek

Odoslané pomocou bezpečného emailu Proton Mail.

štvrtok 20. novembra 2025, 15:51, Marc Marc@f1-outsourcing.eu napísal/a:

...

You have to put full chain in the cert

...

I forgot to mention the certificate is signed by my private root certification authority. Could this be related? Should the authority certificate be configured somewhere in dovecot?

Thanks

Marek

štvrtok 20. novembra 2025, 15:42, Marek Greško marek.gresko@protonmail.com napísal/a:

...

Hello,

after upgrading from Fedora 42 to Fedora 43 the dovecot got upgraded to version 2.4.

I tweaked the configuration, dovecot starts, but when client is trying to connect to imap, I get:

imap-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't load SSL certificate (ssl_server_cert_file setting): error:0A00018F:SSL routines ::ee key too small:

I tried replacing 2048 bits RSA with 4096 bits RSA, I tried to not use the dh.pem file (I read somewhere it is not neede any more), I deleted /var/lib/dovecot/ssl-parameters.dat file, but still the same error.

Where should I look next?

My ssl config:

ssl = required

#ssl_server_dh_file = /etc/dovecot/dh.pem

ssl_server { #ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /somewhere/dovecot.pem ssl_server_key_file = /somewhere/dovecot.pem prefer_ciphers = server }

ssl_min_protocol = TLSv1.2

ssl_cipher_list = PROFILE=SYSTEM

#ssl_verify_client_cert = no #ssl_prefer_server_ciphers = no

Thanks

Marek

---

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

Hello, my private key is 4096 bit. I added also ca_file = /etc/pki/tls/certs/cacert.pem, but it did not help either. Marek stvrtok 20. novembra 2025, 16:27, Aki Tuomi <aki.tuomi@open-xchange.com> napisal/a:

 Hi!

 Your private key must be large enough.

 Aki

   On 20/11/2025 17:07 EET Marek Gresko via dovecot
   <[1]dovecot@dovecot.org> wrote:


   I tried even with root ca and the same result.

   Marek





   Odoslane pomocou bezpecneho emailu Proton Mail.

   stvrtok 20. novembra 2025, 16:04, Marek Gresko
   <[2]marek.gresko@protonmail.com> napisal/a:


     Including root CA?

     Marek





     Odoslane pomocou bezpecneho emailu Proton Mail.


     stvrtok 20. novembra 2025, 15:51, Marc [3]Marc@f1-outsourcing.eu
     napisal/a:


       You have to put full chain in the cert


         I forgot to mention the certificate is signed by my private root
         certification authority. Could this be related? Should the
         authority
         certificate be configured somewhere in dovecot?

         Thanks

         Marek

         stvrtok 20. novembra 2025, 15:42, Marek Gresko
         [4]marek.gresko@protonmail.com napisal/a:


           Hello,

           after upgrading from Fedora 42 to Fedora 43 the dovecot got
           upgraded
           to version 2.4.

           I tweaked the configuration, dovecot starts, but when client
           is trying
           to connect to imap, I get:

           imap-login: Error: Failed to initialize SSL connection:
           Couldn't
           initialize SSL server context: Can't load SSL certificate
           (ssl_server_cert_file setting): error:0A00018F:SSL routines
           ::ee key too small:

           I tried replacing 2048 bits RSA with 4096 bits RSA, I tried to
           not use
           the dh.pem file (I read somewhere it is not neede any more), I
           deleted
           /var/lib/dovecot/ssl-parameters.dat file, but still the same
           error.

           Where should I look next?

           My ssl config:

           ssl = required

           #ssl_server_dh_file = /etc/dovecot/dh.pem

           ssl_server {
           #ssl_server_dh_file = /etc/dovecot/dh.pem
           ssl_server_cert_file = /somewhere/dovecot.pem
           ssl_server_key_file = /somewhere/dovecot.pem
           prefer_ciphers = server
           }

           ssl_min_protocol = TLSv1.2

           ssl_cipher_list = PROFILE=SYSTEM

           #ssl_verify_client_cert = no
           #ssl_prefer_server_ciphers = no

           Thanks

           Marek

   _______________________________________________
   dovecot mailing list -- [5]dovecot@dovecot.org
   To unsubscribe send an email to [6]dovecot-leave@dovecot.org

References

Visible links

1. mailto:dovecot@dovecot.org
2. mailto:marek.gresko@protonmail.com
3. mailto:Marc@f1-outsourcing.eu
4. mailto:marek.gresko@protonmail.com
5. mailto:dovecot@dovecot.org
6. mailto:dovecot-leave@dovecot.org