SSL TLS SNI error certificate is empty
Hello,
I’ve tried implementing TLS SNI for my Postfix/Dovecot setup. I have it working in Postfix, but this example for Dovecot: https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#with... doesn’t seem to work for me.
I’m using LetsEncrypt certificates. They work without a problem with the regular ssl_cert and ssl_key settings like this:
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
ssl_key = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/privkey.pem
… but as soon as I put them in local_name blocks like this:
local_name datavenia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
ssl_key = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/privkey.pem
}
local_name verovia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/fullchain.pem
ssl_key = </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/privkey.pem
}
and restart dovecot I get the following error:
dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=213.127.63.224, lip=142.93.135.7, session=<wKjTIaLJtSXVfz/g>
I have verified that the certificate paths are correct, the files have content. I’ve already checked permissions (chmodded 777 to debug), as well as the that these are actually symlinks (updated the config to point to the real files) but nothing so far seems to change anything. I have also recreated my dh.pem (4096).
I’m hoping anyone has any idea where I might be going wrong.
Kind regards,
Silvan
Output of dovecot -n:
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.13 (cdd19fe3)
# OS: Linux 5.11.0-25-generic x86_64 Ubuntu 21.04 ext4
# Hostname: azrael00
auth_mechanisms = plain login
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
postmaster_address = postmaster@datavenia.nl <mailto:postmaster@datavenia.nl>
protocols = imap lmtp
service auth-worker {
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0666
user = vmail
}
user = dovecot
}
service imap-login {
inet_listener imap {
port = 0
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
ssl = required
ssl_dh = # hidden, use -P to show it
userdb {
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
driver = static
}
local_name datavenia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
ssl_key = # hidden, use -P to show it
}
local_name verovia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/fullchain.pem
ssl_key = # hidden, use -P to show it
}
On August 16, 2021 3:03:22 AM GMT+02:00, silvan@datavenia.nl wrote:
Hello,
I’ve tried implementing TLS SNI for my Postfix/Dovecot setup. I have it working in Postfix, but this example for Dovecot: https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#with... doesn’t seem to work for me.
I’m using LetsEncrypt certificates. They work without a problem with the regular ssl_cert and ssl_key settings like this:
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
ssl_key = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/privkey.pem
… but as soon as I put them in local_name blocks like this:
local_name datavenia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
ssl_key = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/privkey.pem
}
local_name verovia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/fullchain.pem
ssl_key = </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/privkey.pem
}
and restart dovecot I get the following error:
dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=213.127.63.224, lip=142.93.135.7, session=<wKjTIaLJtSXVfz/g>
You still need a default ssl_cert outside the local ... block.
This is noted in the section about different certs for different IPs just before the section about SNI
-> Note -> You will still need a top-level default ssl_key and ssl_cert as well, or you will receive errors.
That default cert ia used as fallback for clients that don't do SNI.
I have verified that the certificate paths are correct, the files have content. I’ve already checked permissions (chmodded 777 to debug), as well as the that these are actually symlinks (updated the config to point to the real files) but nothing so far seems to change anything. I have also recreated my dh.pem (4096).
I’m hoping anyone has any idea where I might be going wrong.
Kind regards,
Silvan
Output of dovecot -n:
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.13 (cdd19fe3)
# OS: Linux 5.11.0-25-generic x86_64 Ubuntu 21.04 ext4
# Hostname: azrael00
auth_mechanisms = plain login
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
postmaster_address = postmaster@datavenia.nl <mailto:postmaster@datavenia.nl>
protocols = imap lmtp
service auth-worker {
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0666
user = vmail
}
user = dovecot
}
service imap-login {
inet_listener imap {
port = 0
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
ssl = required
ssl_dh = # hidden, use -P to show it
userdb {
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
driver = static
}
local_name datavenia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
ssl_key = # hidden, use -P to show it
}
local_name verovia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/fullchain.pem
ssl_key = # hidden, use -P to show it
}
-- Christian Kivalo
Hey Christian,
This resolves the issue, thank you. You are also correct in that it is stated here: https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#diff... I didn't realize it was also applicable to TLS SNI, but I should have tested.
Regards, Silvan
-----Original Message----- From: dovecot <dovecot-bounces@dovecot.org> On Behalf Of Christian Kivalo Sent: Monday, 16 August 2021 19:32 To: dovecot@dovecot.org Subject: Re: SSL TLS SNI error certificate is empty
On August 16, 2021 3:03:22 AM GMT+02:00, silvan@datavenia.nl wrote:
Hello,
I’ve tried implementing TLS SNI for my Postfix/Dovecot setup. I have it working in Postfix, but this example for Dovecot: https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#with... doesn’t seem to work for me.
I’m using LetsEncrypt certificates. They work without a problem with the regular ssl_cert and ssl_key settings like this:
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
ssl_key = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/privkey.pem
… but as soon as I put them in local_name blocks like this:
local_name datavenia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
ssl_key = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/privkey.pem
}
local_name verovia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/fullchain.pem
ssl_key = </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/privkey.pem
}
and restart dovecot I get the following error:
dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=213.127.63.224, lip=142.93.135.7, session=<wKjTIaLJtSXVfz/g>
You still need a default ssl_cert outside the local ... block.
This is noted in the section about different certs for different IPs just before the section about SNI
-> Note -> You will still need a top-level default ssl_key and ssl_cert as well, or you will receive errors.
That default cert ia used as fallback for clients that don't do SNI.
I have verified that the certificate paths are correct, the files have content. I’ve already checked permissions (chmodded 777 to debug), as well as the that these are actually symlinks (updated the config to point to the real files) but nothing so far seems to change anything. I have also recreated my dh.pem (4096).
I’m hoping anyone has any idea where I might be going wrong.
Kind regards,
Silvan
Output of dovecot -n:
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.13 (cdd19fe3)
# OS: Linux 5.11.0-25-generic x86_64 Ubuntu 21.04 ext4
# Hostname: azrael00
auth_mechanisms = plain login
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
postmaster_address = postmaster@datavenia.nl <mailto:postmaster@datavenia.nl>
protocols = imap lmtp
service auth-worker {
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0666
user = vmail
}
user = dovecot
}
service imap-login {
inet_listener imap {
port = 0
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
ssl = required
ssl_dh = # hidden, use -P to show it
userdb {
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
driver = static
}
local_name datavenia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/datavenia.nl/fullchain.pem
ssl_key = # hidden, use -P to show it
}
local_name verovia.nl {
ssl_cert = </docker/rancher-active-proxy/letsencrypt/live/verovia.nl/fullchain.pem
ssl_key = # hidden, use -P to show it
}
-- Christian Kivalo
participants (2)
-
Christian Kivalo
-
silvan@datavenia.nl