[Dovecot] New SSL certificate problem
Our DC has been using a Verisign certificate. Over the past year, we've been using a Digicert Wildcard Plus certificate for almost all of our machines, and I wanted to switched over our DC mailserver.
I used the following command to generate the CSR and key:
openssl req -new -newkey rsa:1024 -nodes -out star_bard_edu.csr -keyout star_bard_edu.key -subj "/C=US/ST=NY/L=ourtown/O=Bard College IT/OU=Bard College /CN=*.bard.edu"
The resultant CSR verified and I submitted it to digicert and got back our cert, plus their intermediate and Trusted root certs. I killed the root instance of dovecot and waited for all the children to die I put together the intermediate cert (first) and our cert (second) into /usr/ssl/certs/dovecot.pem I put the key star_bard_edu.key in /var/ssl/private/dovecot.pem
I restarted dovecot, but the imap login instances didn't appear, so I shifted back to the original combined cert file and key, restarted dovecot and it came up OK
I check the syslog and saw these error messages:
Jan 5 10:19:49 mercury mail:err|error dovecot: imap-login: Can't load private k ey file /var/ssl/private/dovecot.pem: error:0B080074:x509 certificate routines:X 509_check_private_key:key values mismatch Jan 5 10:19:49 mercury mail:err|error last message repeated 8 times Jan 5 10:19:49 mercury mail:err|error dovecot: child 4051108 (login) returned e rror 89 Jan 5 10:19:49 mercury mail:err|error dovecot: child 4231382 (login) returned e rror 89
I checked my key and it has the same time stamp as my CSR, so I didn't somehow get the wrong key. Both the old and new key are 600; if the old one works based on perms, the new one should too.
Would some kind soul tell me what I'm missing? Or is there a problem using wild card certificate with DC? Is there an openssl command to verify the key. Or is it that the key is unencrypted?
-- ==== Once upon a time, the Internet was a friendly, neighbors-helping-neighbors small town, and no one locked their doors. Now it's like an apartment in Bed-Stuy: you need three heavy duty pick-proof locks, one of those braces that goes from the lock to the floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin, Bard College, New York 12504 sdean@bard.edu voice: 845-758-7475, fax: 845-758-7035
Although I was told by Digicert that the order of chained certs in /var/ssl/certs/dovecot.pem should make no difference, after I put our public cert first, followed by Digicert's intermediate cert, dovecot started up fine. Of course, there were so many things I looked into, it might have been something else I touched......
Stewart Dean wrote:
Our DC has been using a Verisign certificate. Over the past year, we've been using a Digicert Wildcard Plus certificate for almost all of our machines, and I wanted to switched over our DC mailserver.
I used the following command to generate the CSR and key:
openssl req -new -newkey rsa:1024 -nodes -out star_bard_edu.csr -keyout star_bard_edu.key -subj "/C=US/ST=NY/L=ourtown/O=Bard College IT/OU=Bard College /CN=*.bard.edu"
The resultant CSR verified and I submitted it to digicert and got back our cert, plus their intermediate and Trusted root certs. I killed the root instance of dovecot and waited for all the children to die I put together the intermediate cert (first) and our cert (second) into /usr/ssl/certs/dovecot.pem I put the key star_bard_edu.key in /var/ssl/private/dovecot.pem
I restarted dovecot, but the imap login instances didn't appear, so I shifted back to the original combined cert file and key, restarted dovecot and it came up OK
I check the syslog and saw these error messages:
Jan 5 10:19:49 mercury mail:err|error dovecot: imap-login: Can't load private k ey file /var/ssl/private/dovecot.pem: error:0B080074:x509 certificate routines:X 509_check_private_key:key values mismatch Jan 5 10:19:49 mercury mail:err|error last message repeated 8 times Jan 5 10:19:49 mercury mail:err|error dovecot: child 4051108 (login) returned e rror 89 Jan 5 10:19:49 mercury mail:err|error dovecot: child 4231382 (login) returned e rror 89
I checked my key and it has the same time stamp as my CSR, so I didn't somehow get the wrong key. Both the old and new key are 600; if the old one works based on perms, the new one should too.
Would some kind soul tell me what I'm missing? Or is there a problem using wild card certificate with DC? Is there an openssl command to verify the key. Or is it that the key is unencrypted?
-- ==== Once upon a time, the Internet was a friendly, neighbors-helping-neighbors small town, and no one locked their doors. Now it's like an apartment in Bed-Stuy: you need three heavy duty pick-proof locks, one of those braces that goes from the lock to the floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin, Bard College, New York 12504 sdean@bard.edu voice: 845-758-7475, fax: 845-758-7035
On Jan 5, 2009, at 2:50 PM, Stewart Dean wrote:
Although I was told by Digicert that the order of chained certs in / var/ssl/certs/dovecot.pem should make no difference, after I put our
public cert first, followed by Digicert's intermediate cert, dovecot
started up fine. Of course, there were so many things I looked
into, it might have been something else I touched......
Stewart,
I posted this answer last week in another thread(12/29/2008 Subject
SSL cert problems.). Yes order seems to be important. I found this
answer in the Openssl book on page 120.
-Jonathan
Stewart Dean wrote:
Our DC has been using a Verisign certificate. Over the past year,
we've been using a Digicert Wildcard Plus certificate for almost
all of our machines, and I wanted to switched over our DC mailserver.I used the following command to generate the CSR and key:
openssl req -new -newkey rsa:1024 -nodes -out star_bard_edu.csr - keyout star_bard_edu.key -subj "/C=US/ST=NY/L=ourtown/O=Bard
College IT/OU=Bard College /CN=*.bard.edu"The resultant CSR verified and I submitted it to digicert and got
back our cert, plus their intermediate and Trusted root certs. I killed the root instance of dovecot and waited for all the
children to die I put together the intermediate cert (first) and our cert (second)
into /usr/ssl/certs/dovecot.pem I put the key star_bard_edu.key in /var/ssl/private/dovecot.pemI restarted dovecot, but the imap login instances didn't appear, so
I shifted back to the original combined cert file and key,
restarted dovecot and it came up OKI check the syslog and saw these error messages:
Jan 5 10:19:49 mercury mail:err|error dovecot: imap-login: Can't
load private k ey file /var/ssl/private/dovecot.pem: error:0B080074:x509
certificate routines:X 509_check_private_key:key values mismatch Jan 5 10:19:49 mercury mail:err|error last message repeated 8 times Jan 5 10:19:49 mercury mail:err|error dovecot: child 4051108
(login) returned e rror 89 Jan 5 10:19:49 mercury mail:err|error dovecot: child 4231382
(login) returned e rror 89I checked my key and it has the same time stamp as my CSR, so I
didn't somehow get the wrong key. Both the old and new key are
600; if the old one works based on perms, the new one should too.Would some kind soul tell me what I'm missing? Or is there a
problem using wild card certificate with DC? Is there an openssl
command to verify the key. Or is it that the key is unencrypted?-- ==== Once upon a time, the Internet was a friendly, neighbors- helping-neighbors small town, and no one locked their doors. Now
it's like an apartment in Bed-Stuy: you need three heavy duty pick- proof locks, one of those braces that goes from the lock to the
floor, and bars on the windows.... ==== Stewart Dean, Unix System
Admin, Bard College, New York 12504 sdean@bard.edu voice:
845-758-7475, fax: 845-758-7035
participants (2)
-
Jonathan Siegle
-
Stewart Dean