Re: Upgrade to 2.3.1 has failed

15 Dec 2018


      Alexander good afternoon. Thank you. I have spent the day learning
about AppArmor:
• I've reviewed your link, found /etc/apparmor.d/ and its local/ directory.
• I ran aa-logprof and it found the change in stat to old-stat 
that is discussed in the upgrade documentation. So I Allow (A) that.
There are no other reports.
• I followed the discussion on using yast to manage the
profiles. I'm on ssh to the server so do not have the GUI yast, only
the ncurses version and it does not contain editing, only adding,
profiles.
I tried creating a profile for imap-login with that method and
scanned for any issues, there were none reported, but still cannot log
in.
• I followed the local/README to explicitly add
/etc/certbot/live/privustech.com/* r,
	to /etc/apparmor.d/local/usr.lib.dovecot.imap-login but still
cannot login with either the mail client or with explicit openssl: it
complains
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:794:
	I check yast2 sw_single for the dovecot installation. Indeed
the module dovecot23-xxx where xxx is anything that looks like "clnt" (
client?) does not exist. Is there a missing module in my installation?
It lists only
dovecot
dovecot23
dovecot23-backend-mysql
dovecot23-backend-pgsql
dovecot23-backend-sqlite
dovecot23-fts
dovecot23-fts-squat
I'll pursue this further.
Thank 	you again.
Kind regards, Andy
On Fri, 2018-12-14 at 23:44 +0100, Alexander Dalloz wrote:
...
Am 14.12.2018 um 19:58 schrieb C. Andrews Lavarre:
...
Thanks for the input. I've checked out your suggestions (details
below)
but unfortunately no joy.
I also restored my backup 10-ssl.conf. It indeed has the "<" sign
with
a space before the explicit paths to the files:
ssl_cert = </etc/certbot/live/privustech.com/fullchain.pem
ssl_key = </etc/certbot/live/privustech.com/privkey.pem
Hi,
the syntax you see in the documentation is mandatory. Your issue is 
really a permissions problem.
Check your AppArmor setup. The path you use for storing the chained 
certificate and the private key is certainly not known to AppArmor.
See 
your /var/log/audit/audit.log for indications.
https://doc.opensuse.org/documentation/leap/security/html/book.securi
ty/cha.apparmor.managing.html
may help.
Btw. permissions setting to 0777, especially for the cert and key,
is 
awful, even for debugging issues.
Alexander