ssl_key_password loaded from file: 'Couldn't parse private ssl_key'
As this is my first message to this ML: Hello!
I am using a password-protected SSL key for my dovecot MDA. When I tried to use the ssl_key_password configuration directive as follow: ssl_key_password = </path/to/passfile it did not work as I logged the following: dovecot: imap-login: Error: SSL: Stacked error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906A065:PEM routines:PEM_do_header:bad decrypt
However, not using the fille inclusion but directly configuring as follow: ssl_key_password = mypass did work...
I am loading my certificate & key with the file inclusion trick... How come cannot I use that for the password file? It would avoid input the password directly into the dovecot configuraiton files, forcing me to change permissions and duplicating it... When renewing the private key I will be force to edit the password at every location.
Is it a bug? or a feature? :D
*B. R.*
Hi,
On 2015-09-20 15:35, B. R. wrote:
As this is my first message to this ML: Hello!
I am using a password-protected SSL key for my dovecot MDA. When I tried to use the ssl_key_password configuration directive as follow: ssl_key_password = </path/to/passfile it did not work as I logged the following: dovecot: imap-login: Error: SSL: Stacked error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906A065:PEM routines:PEM_do_header:bad decrypt
However, not using the fille inclusion but directly configuring as follow: ssl_key_password = mypass did work...
I don't know for sure but maybe its not implemented to load the password from a file...
Reading http://wiki2.dovecot.org/SSL/DovecotConfiguration suggests to use an extra config file with tightened permissions that only contains the "ssl_key_password = $password" configuration directive and include this file with "!include_try $file".
That way you could swap that file out automatically when renewing the private key.
I am loading my certificate & key with the file inclusion trick... How come cannot I use that for the password file? It would avoid input the password directly into the dovecot configuraiton files, forcing me to change permissions and duplicating it... When renewing the private key I will be force to edit the password at every location.
Is it a bug? or a feature? :D
*B. R.*
Regards christian
Hello,
Thanks for your answer.
I read this Wiki tip, but it does not fit, as I serve emails for several domains, each using its iwn (potentioally enciphered) private key. I thus need to use the directive as port of a local_name block.
I tried to create 2 blocks in 2 different files automatically loaded from conf.d: ### private.conf ### <-- prevented read permission for other than root:root local_name mydomain { ssl_key_password = mypass }
### 10-ssl.conf ### local_name mydomain { ssl_cert = <mycert sslkey = <mykey }
But that failed with 'Couldn't open include file /etc/dovecot/conf.d/private.conf: Permission denied' Restricting rights directly on 10-ssl.conf failed with a similar error: 'Couldn't open include file /etc/dovecot/conf.d/10-ssl.conf: Permission denied'
So far, I have not found a reliable way of using enciphered private keys with dovecot...
*B. R.*
On Sun, Sep 20, 2015 at 4:00 PM, Christian Kivalo <ml+dovecot@valo.at> wrote:
Hi,
On 2015-09-20 15:35, B. R. wrote:
As this is my first message to this ML: Hello!
I am using a password-protected SSL key for my dovecot MDA. When I tried to use the ssl_key_password configuration directive as follow: ssl_key_password = </path/to/passfile it did not work as I logged the following: dovecot: imap-login: Error: SSL: Stacked error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906A065:PEM routines:PEM_do_header:bad decrypt
However, not using the fille inclusion but directly configuring as follow: ssl_key_password = mypass did work...
I don't know for sure but maybe its not implemented to load the password from a file...
Reading http://wiki2.dovecot.org/SSL/DovecotConfiguration suggests to use an extra config file with tightened permissions that only contains the "ssl_key_password = $password" configuration directive and include this file with "!include_try $file".
That way you could swap that file out automatically when renewing the private key.
I am loading my certificate & key with the file inclusion trick... How come
cannot I use that for the password file? It would avoid input the password directly into the dovecot configuraiton files, forcing me to change permissions and duplicating it... When renewing the private key I will be force to edit the password at every location.
Is it a bug? or a feature? :D
*B. R.*
Regards christian
On 09/21/2015 12:11 PM, B. R. wrote:
Hello,
Thanks for your answer.
I read this Wiki tip, but it does not fit, as I serve emails for several domains, each using its iwn (potentioally enciphered) private key. I thus need to use the directive as port of a local_name block.
I tried to create 2 blocks in 2 different files automatically loaded from conf.d: ### private.conf ### <-- prevented read permission for other than root:root local_name mydomain { ssl_key_password = mypass }
### 10-ssl.conf ### local_name mydomain { ssl_cert = <mycert sslkey = <mykey } Maybe try:
private.conf
local_name mydomain { ssl_key_password = password ssl_cert = </path/to/cert ssl_key = </path/to/key }
I don't know if it will work or not, but it looks good.
But that failed with 'Couldn't open include file /etc/dovecot/conf.d/private.conf: Permission denied' Restricting rights directly on 10-ssl.conf failed with a similar error: 'Couldn't open include file /etc/dovecot/conf.d/10-ssl.conf: Permission denied'
So far, I have not found a reliable way of using enciphered private keys with dovecot...
*B. R.*
On Sun, Sep 20, 2015 at 4:00 PM, Christian Kivalo <ml+dovecot@valo.at> wrote:
Hi,
On 2015-09-20 15:35, B. R. wrote:
As this is my first message to this ML: Hello!
I am using a password-protected SSL key for my dovecot MDA. When I tried to use the ssl_key_password configuration directive as follow: ssl_key_password = </path/to/passfile it did not work as I logged the following: dovecot: imap-login: Error: SSL: Stacked error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906A065:PEM routines:PEM_do_header:bad decrypt
However, not using the fille inclusion but directly configuring as follow: ssl_key_password = mypass did work...
I don't know for sure but maybe its not implemented to load the password from a file...
Reading http://wiki2.dovecot.org/SSL/DovecotConfiguration suggests to use an extra config file with tightened permissions that only contains the "ssl_key_password = $password" configuration directive and include this file with "!include_try $file".
That way you could swap that file out automatically when renewing the private key.
I am loading my certificate & key with the file inclusion trick... How come
cannot I use that for the password file? It would avoid input the password directly into the dovecot configuraiton files, forcing me to change permissions and duplicating it... When renewing the private key I will be force to edit the password at every location.
Is it a bug? or a feature? :D
*B. R.*
Regards christian
participants (3)
-
B. R.
-
Christian Kivalo
-
Edgar Pettijohn