Alexander good afternoon. Thank you. I have spent the day learning about AppArmor:

• I've reviewed your link, found /etc/apparmor.d/ and its local/ directory.

• I ran aa-logprof and it found the change in stat to old-stat that is discussed in the upgrade documentation. So I Allow (A) that. There are no other reports.

• I followed the discussion on using yast to manage the profiles. I'm on ssh to the server so do not have the GUI yast, only the ncurses version and it does not contain editing, only adding, profiles.
I tried creating a profile for imap-login with that method and scanned for any issues, there were none reported, but still cannot log in.

• I followed the local/README to explicitly add
	/etc/certbot/live/privustech.com/* r,

to /etc/apparmor.d/local/usr.lib.dovecot.imap-login but still cannot login with either the mail client or with explicit openssl: it complains
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
I check yast2 sw_single for the dovecot installation. Indeed the module dovecot23-xxx where xxx is anything that looks like "clnt" (client?) does not exist. Is there a missing module in my installation? It lists only
dovecot
dovecot23
dovecot23-backend-mysql
dovecot23-backend-pgsql
dovecot23-backend-sqlite
dovecot23-fts
dovecot23-fts-squat

I'll pursue this further.

Thank  you again.

Kind regards, Andy

On Fri, 2018-12-14 at 23:44 +0100, Alexander Dalloz wrote:
Am 14.12.2018 um 19:58 schrieb C. Andrews Lavarre:
Thanks for the input. I've checked out your suggestions (details below) but unfortunately no joy. I also restored my backup 10-ssl.conf. It indeed has the "<" sign with a space before the explicit paths to the files:     ssl_cert = </etc/certbot/live/privustech.com/fullchain.pem     ssl_key = </etc/certbot/live/privustech.com/privkey.pem
Hi, the syntax you see in the documentation is mandatory. Your issue is really a permissions problem. Check your AppArmor setup. The path you use for storing the chained certificate and the private key is certainly not known to AppArmor. See your /var/log/audit/audit.log for indications. https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.apparmor.managing.html may help. Btw. permissions setting to 0777, especially for the cert and key, is awful, even for debugging issues. Alexander