Dovecot fails to "initialize SSL server context"
I am configuring a new mailserver. Postfix works and is getting configured according to our wishes.
Dovecot is more stubborn: for some reason I'm not able to understand, it refuses to "initialize SSL server context". complaining that "Can't load SSl Certificate". I believe I have configured the same certificate (and accompanying key) for imap-login that I use for https. But dovecot does not agree. I looked at error:14187180. All I found were errors on the configuration for the Certs cq Keys which I think I am avoiding .
Two questions: Please correct me if I'm wrong. Can you clarify dovecot's error message? Jaap
Server:
- Rocky Linux 9.6 kernel 5.14.0-570.28.1
- Dovecot 2.3.21.1
- Openssl 3.2.2
- Certbot 3.1.0
Https is functioning as expected: ssl-config:
- Include /etc/letsencrypt/options-ssl-apache.conf
- SSLCertificateFile /etc/letsencrypt/live/radicale.camelopardus.nl/fullchain.pem
- SSLCertificateKeyFile /etc/letsencrypt/live/radicale.camelopardus.nl/privkey.pem
- ssl_cert = </etc/letsencrypt/live/iris.camelopardus.nl/fullchain.pem
test from client: openssl s_client -connect radicale.camelopardus.nl:https reply: *CONNECTED(00000003)* *depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1* *verify return:1* *depth=1 C = US, O = Let’s Encrypt, CN = E6* *verify return:1* *depth=0 CN = radicale.camelopardus.nl* *verify return:1*
Dovecot responds differently (for Thunderbird as well as) for openssl:
conf.d/10-ssl.conf:
- ssl_cert = </etc/letsencrypt/live/radicale.camelopardus.nl/fullchain.pem
- ssl_key = </etc/letsencrypt/live/radicale.camelopardus.nl/privkey.pem
test: openssl s_client -connect radicale.camelopardus.nl:imaps reply: CONNECTED(00000003) write:errno=104 no peer certificate available
For both there is the same error in dovecot's log:
imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:14187180: SSL routines:ssl_do_config:bad value: section=system_default, cmd=Groups, arg=X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192: user=<>, rip=2a10:3781:5ab:1:ff51:cbd1:4d54:fb7b, lip=2a10:3781:5ab:10::aaf,
On 03/08/2025 13:59 EEST jaap--- via dovecot <dovecot@dovecot.org> wrote:
I am configuring a new mailserver. Postfix works and is getting configured according to our wishes.
Dovecot is more stubborn: for some reason I'm not able to understand, it refuses to "initialize SSL server context". complaining that "Can't load SSl Certificate". I believe I have configured the same certificate (and accompanying key) for imap-login that I use for https. But dovecot does not agree. I looked at error:14187180. All I found were errors on the configuration for the Certs cq Keys which I think I am avoiding .
Two questions: Please correct me if I'm wrong. Can you clarify dovecot's error message? Jaap
Server:
- Rocky Linux 9.6 kernel 5.14.0-570.28.1
- Dovecot 2.3.21.1
- Openssl 3.2.2
- Certbot 3.1.0
Dovecot 2.3 does not have OpenSSL 3.x support from us, you are using 3rd party patch. Please open bug with Rocky Linux about this.
OpenSSL 3.x is supported only with Dovecot 2.4.
Aki
Aki Tuomi via dovecot skrev den 2025-08-03 17:49:
Dovecot 2.3 does not have OpenSSL 3.x support from us, you are using 3rd party patch. Please open bug with Rocky Linux about this.
in gentoo openssl is
[I] dev-libs/openssl Available versions: [M]1.0.2u-r1^td [M]1.1.1w(0/1.1)^t 3.0.16(0/3)^t ~3.0.17(0/3)^t **3.0.9999(0/3)*l^t 3.1.8(0/3)^t **3.1.9999(0/3)*l^t 3.2.4(0/3)^t ~3.2.5(0/3)^t **3.2.9999(0/3)*l^t 3.3.3(0/3)^t ~3.3.4(0/3)^t **3.3.9999(0/3)*l^t 3.4.1(0/3)^t ~3.4.2(0/3)^t **3.4.9999(0/3)*l^t ~3.5.0(0/3)^t ~3.5.1(0/3)^t **3.5.9999(0/3)*l^t {+asm bindist fips gmp kerberos ktls +quic rfc3779 sctp sslv2 (+)sslv3 static-libs test tls-compression (+)tls-heartbeat vanilla verify-sig weak-ssl-ciphers ABI_MIPS="n32 n64 o32" ABI_S390="32 64" ABI_X86="32 64 x32" CPU_FLAGS_X86="sse2"} Installed versions: 3.4.1(0/3)^t(09:40:14 06/18/25)(asm quic -fips -ktls -rfc3779 -sctp -static-libs -test -tls-compression -vanilla -verify-sig -weak-ssl-ciphers ABI_MIPS="-n32 -n64 -o32" ABI_S390="-32 -64" ABI_X86="64 -32 -x32" CPU_FLAGS_X86="sse2") Homepage: https://openssl-library.org/ Description: Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)
[I] net-mail/dovecot Available versions: 2.3.21.1-r1(0/2.3.21.1) ~2.4.1-r1(0/2.4.1) ~2.4.1-r2(0/2.4.1) ~2.4.1-r3(0/2.4.1) {argon2 caps cdb doc kerberos ldap lua lucene lz4 managesieve mysql pam postgres rpc selinux sieve solr sqlite static-libs stemmer suid systemd tcpd textcat unwind xapian zstd LUA_SINGLE_TARGET="lua5-1 lua5-3 lua5-4"} Installed versions: 2.3.21.1-r1(0/2.3.21.1)(10:21:49 06/20/25)(managesieve pam postgres stemmer -argon2 -caps -doc -kerberos -ldap -lua -lucene -lz4 -mysql -rpc -selinux -sieve -solr -sqlite -static-libs -suid -systemd -tcpd -textcat -unwind -zstd LUA_SINGLE_TARGET="lua5-1 -lua5-3") Homepage: https://www.dovecot.org/ Description: An IMAP and POP3 server written with security primarily in mind
its no problem with it here
OpenSSL 3.x is supported only with Dovecot 2.4.
unless dovecot breaks it :)
On 03/08/2025 23:19 EEST Benny Pedersen via dovecot <dovecot@dovecot.org> wrote:
Aki Tuomi via dovecot skrev den 2025-08-03 17:49:
Dovecot 2.3 does not have OpenSSL 3.x support from us, you are using 3rd party patch. Please open bug with Rocky Linux about this.
in gentoo openssl is
its no problem with it here
OpenSSL 3.x is supported only with Dovecot 2.4.
unless dovecot breaks it :)
I didn't say it doesn't work, I just said it's not supported. If it works, great. If not, then you can talk with your os distributor about fixes.
Aki
"Can't load SSl Certificate" means dovecot is unable to fetch the ssl certificate files. Check the ownership and permissions on files as well as the containing directory. All should be owned by dovecot or any other user that is member of dovecot user group and can read the parent directories as well as the relative directory pem files.
My advice, is to copy the letsencrypt directory to a new directory and give it ownership and apply zero trust rule on permissions reserved for dovecot, so to avoid having to share the /etc/letsencrypt/live/radicale.camelopardus.nl/ directory with more than two, offered by owner:group model via exposing to the world, hence anyone had their hands on pem files with mitm proxy capability, can intercept dovecot communications.
Zak.
On 2025-08-03 11:59, jaap--- via dovecot wrote:
I am configuring a new mailserver. Postfix works and is getting configured according to our wishes.
Dovecot is more stubborn: for some reason I'm not able to understand, it refuses to "initialize SSL server context". complaining that "Can't load SSl Certificate". I believe I have configured the same certificate (and accompanying key) for imap-login that I use for https. But dovecot does not agree. I looked at error:14187180. All I found were errors on the configuration for the Certs cq Keys which I think I am avoiding .
Two questions: Please correct me if I'm wrong. Can you clarify dovecot's error message? Jaap
Server:
- Rocky Linux 9.6 kernel 5.14.0-570.28.1
- Dovecot 2.3.21.1
- Openssl 3.2.2
- Certbot 3.1.0
Https is functioning as expected: ssl-config:
- Include /etc/letsencrypt/options-ssl-apache.conf
- SSLCertificateFile /etc/letsencrypt/live/radicale.camelopardus.nl/fullchain.pem
- SSLCertificateKeyFile /etc/letsencrypt/live/radicale.camelopardus.nl/privkey.pem
- ssl_cert = test from client: openssl s_client -connect radicale.camelopardus.nl:https reply: *CONNECTED(00000003)* *depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1* *verify return:1* *depth=1 C = US, O = Let’s Encrypt, CN = E6* *verify return:1* *depth=0 CN = radicale.camelopardus.nl* *verify return:1*
Dovecot responds differently (for Thunderbird as well as) for openssl:
conf.d/10-ssl.conf:
- ssl_cert = * ssl_key = test: openssl s_client -connect radicale.camelopardus.nl:imaps reply: CONNECTED(00000003) write:errno=104 no peer certificate available
For both there is the same error in dovecot's log:
imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:14187180: SSL routines:ssl_do_config:bad value: section=system_default, cmd=Groups, arg=X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192: user=, rip=2a10:3781:5ab:1:ff51:cbd1:4d54:fb7b, lip=2a10:3781:5ab:10::aaf,
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
"Can't load SSl Certificate" means dovecot is unable to fetch the ssl certificate files. Check the ownership and permissions on files as well as the containing directory. All should be owned by dovecot or any other user that is member of dovecot user group and can read the parent directories as well as the relative directory pem files.
My advice, is to copy the letsencrypt directory to a new directory and give it ownership and apply zero trust rule on permissions reserved for dovecot, so to avoid having to share the /etc/letsencrypt/live/radicale.camelopardus.nl/ directory with more than two, offered by owner:group model via exposing to the world, hence anyone had their hands on pem files with mitm proxy capability, can intercept dovecot communications.
Zak.
On 2025-08-03 11:59, jaap--- via dovecot wrote:
I am configuring a new mailserver. Postfix works and is getting configured according to our wishes.
Dovecot is more stubborn: for some reason I'm not able to understand, it refuses to "initialize SSL server context". complaining that "Can't load SSl Certificate". I believe I have configured the same certificate (and accompanying key) for imap-login that I use for https. But dovecot does not agree. I looked at error:14187180. All I found were errors on the configuration for the Certs cq Keys which I think I am avoiding .
Two questions: Please correct me if I'm wrong. Can you clarify dovecot's error message? Jaap
Server:
- Rocky Linux 9.6 kernel 5.14.0-570.28.1
- Dovecot 2.3.21.1
- Openssl 3.2.2
- Certbot 3.1.0
Https is functioning as expected: ssl-config:
- Include /etc/letsencrypt/options-ssl-apache.conf
- SSLCertificateFile /etc/letsencrypt/live/radicale.camelopardus.nl/fullchain.pem
- SSLCertificateKeyFile /etc/letsencrypt/live/radicale.camelopardus.nl/privkey.pem
- ssl_cert =
test from client: openssl s_client -connect radicale.camelopardus.nl:https reply: *CONNECTED(00000003)* *depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1* *verify return:1* *depth=1 C = US, O = Let's Encrypt, CN = E6* *verify return:1* *depth=0 CN = radicale.camelopardus.nl* *verify return:1*
Dovecot responds differently (for Thunderbird as well as) for openssl:
conf.d/10-ssl.conf:
- ssl_cert =
- ssl_key =
test: openssl s_client -connect radicale.camelopardus.nl:imaps reply: CONNECTED(00000003) write:errno=104 no peer certificate available
For both there is the same error in dovecot's log:
imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:14187180: SSL routines:ssl_do_config:bad value: section=system_default, cmd=Groups,
arg=X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192:
user=<>, rip=2a10:3781:5ab:1:ff51:cbd1:4d54:fb7b, lip=2a10:3781:5ab:10::aaf,
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
participants (4)
-
Aki Tuomi
-
Benny Pedersen
-
jaap@jbril.net
-
Zakaria