I am configuring a new mailserver. Postfix works and is getting configured according to our wishes.
Dovecot is more stubborn: for some reason I'm not able to understand, it refuses to "initialize SSL server context". complaining that "Can't load SSl Certificate". I believe I have configured the same certificate (and accompanying key) for imap-login that I use for https. But dovecot does not agree. I looked at error:14187180. All I found were errors on the configuration for the Certs cq Keys which I think I am avoiding .
Two questions: Please correct me if I'm wrong. Can you clarify dovecot's error message? Jaap
Server:
- Rocky Linux 9.6 kernel 5.14.0-570.28.1
- Dovecot 2.3.21.1
- Openssl 3.2.2
- Certbot 3.1.0
Https is functioning as expected: ssl-config:
- Include /etc/letsencrypt/options-ssl-apache.conf
- SSLCertificateFile /etc/letsencrypt/live/radicale.camelopardus.nl/fullchain.pem
- SSLCertificateKeyFile /etc/letsencrypt/live/radicale.camelopardus.nl/privkey.pem
- ssl_cert = </etc/letsencrypt/live/iris.camelopardus.nl/fullchain.pem
test from client: openssl s_client -connect radicale.camelopardus.nl:https reply: *CONNECTED(00000003)* *depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1* *verify return:1* *depth=1 C = US, O = Let’s Encrypt, CN = E6* *verify return:1* *depth=0 CN = radicale.camelopardus.nl* *verify return:1*
Dovecot responds differently (for Thunderbird as well as) for openssl:
conf.d/10-ssl.conf:
- ssl_cert = </etc/letsencrypt/live/radicale.camelopardus.nl/fullchain.pem
- ssl_key = </etc/letsencrypt/live/radicale.camelopardus.nl/privkey.pem
test: openssl s_client -connect radicale.camelopardus.nl:imaps reply: CONNECTED(00000003) write:errno=104 no peer certificate available
For both there is the same error in dovecot's log:
imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:14187180: SSL routines:ssl_do_config:bad value: section=system_default, cmd=Groups, arg=X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192: user=<>, rip=2a10:3781:5ab:1:ff51:cbd1:4d54:fb7b, lip=2a10:3781:5ab:10::aaf,