Alexander good afternoon. Thank you. I have spent the day learning about AppArmor:

• I've reviewed your link, found /etc/apparmor.d/ and its local/ directory.

• I ran aa-logprof and it found the change in stat to old-stat that is discussed in the upgrade documentation. So I Allow (A) that. There are no other reports.

• I followed the discussion on using yast to manage the profiles. I'm on ssh to the server so do not have the GUI yast, only the ncurses version and it does not contain editing, only adding, profiles.

I tried creating a profile for imap-login with that method and scanned for any issues, there were none reported, but still cannot log in.

• I followed the local/README to explicitly add

	/etc/certbot/live/privustech.com/* r,

to /etc/apparmor.d/local/usr.lib.dovecot.imap-login but still cannot login with either the mail client or with explicit openssl: it complains

error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:

I check yast2 sw_single for the dovecot installation. Indeed the module dovecot23-xxx where xxx is anything that looks like "clnt" (client?) does not exist. Is there a missing module in my installation? It lists only

dovecot

dovecot23

dovecot23-backend-mysql

dovecot23-backend-pgsql

dovecot23-backend-sqlite

dovecot23-fts

dovecot23-fts-squat

I'll pursue this further.

Thank you again.

Kind regards, Andy

On Fri, 2018-12-14 at 23:44 +0100, Alexander Dalloz wrote:

Am 14.12.2018 um 19:58 schrieb C. Andrews Lavarre:

Thanks for the input. I've checked out your suggestions (details below)
but unfortunately no joy.
I also restored my backup 10-ssl.conf. It indeed has the "<" sign with
a space before the explicit paths to the files:
     ssl_cert = </etc/certbot/live/privustech.com/fullchain.pem
     ssl_key = </etc/certbot/live/privustech.com/privkey.pem


Hi,

the syntax you see in the documentation is mandatory. Your issue is 
really a permissions problem.

Check your AppArmor setup. The path you use for storing the chained 
certificate and the private key is certainly not known to AppArmor. See 
your /var/log/audit/audit.log for indications.

https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.apparmor.managing.html

may help.

Btw. permissions setting to 0777, especially for the cert and key, is 
awful, even for debugging issues.

Alexander