Multidomain / IP Address Setup (Dovevot 2.2.10 on CentOS7 ) is failing: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM
Hi, I want to say hello and here is my big problem ;D
Iam trying to archive a Postfix/Dovecot 2.2.10 CentOS7 Multidomain Setup with multiple (valid StartSSL Certs), but iam only able to run a single Domain Cert server only.
ps: I need a multiple domainssetup for every customer and it is not an option for me redirecting any email to a single domain server. I really need this setup working.
IMHO: I think it SELinux could interfere with multiple Certs in diffrent folders (it is activated in CentOs7 by default and is needed by other apps)
Ok, here is my logfile data:
systemctl start postfix.service [OK] systemctl start dovecot.service [OK]
/var/log/messages *systemd: Stopping Dovecot IMAP/POP3 email server... *systemd: Starting Dovecot IMAP/POP3 email server... *systemd: Started Dovecot IMAP/POP3 email server.
/var/log/maillog *dovecot: master: Dovecot v2.2.10 starting up for imap, pop3, lmtp (core dumps disabled)
### This works (Thunderbird, Outlook 2013, Opera Mail ect.) ####
local mydomain01.tld {
protocol imap { ssl_cert =
}
### this 10-ssl.conf ### --- FAILS (the error occurs after an email client accesses IMAP Folders) local mydomain01.tld {
protocol imap { ssl_cert =
}
local mydomain02.tld {
protocol imap { ssl_cert =
}
/var/log/mailog ### Error log ### Aug 14 12:50:38 matrix dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Aug 14 12:50:38 matrix dovecot: master: Error: service(imap-login): command startup failed, throttling for 60 secs
I really dont know why a single domain is no problem but if i enable multiple domains dovecots start with any error, even if i set debug verbose leven to extrem high but if i access dovecot with Thunderbird my server loggile explodes with something like this Couldn't parse private ssl_key: error:0906D06C:PEM but the certs are 100% valid and checked over and over again.
Any help is greatly appreciated!
Greetings, Dravion
Am 14.08.2015 um 13:22 schrieb dravion.smith@gmx.net:
Hi, I want to say hello and here is my big problem ;D
Iam trying to archive a Postfix/Dovecot 2.2.10 CentOS7 Multidomain Setup with multiple (valid StartSSL Certs), but iam only able to run a single Domain Cert server only.
ps: I need a multiple domainssetup for every customer and it is not an option for me redirecting any email to a single domain server. I really need this setup working.
IMHO: I think it SELinux could interfere with multiple Certs in diffrent folders (it is activated in CentOs7 by default and is needed by other apps)
What have you done to exclude that SELinux interferes?
Run "ausearch -m avc" to check for AVCs.
Ok, here is my logfile data:
systemctl start postfix.service [OK] systemctl start dovecot.service [OK]
/var/log/messages *systemd: Stopping Dovecot IMAP/POP3 email server... *systemd: Starting Dovecot IMAP/POP3 email server... *systemd: Started Dovecot IMAP/POP3 email server.
/var/log/maillog *dovecot: master: Dovecot v2.2.10 starting up for imap, pop3, lmtp (core dumps disabled)
### This works (Thunderbird, Outlook 2013, Opera Mail ect.) ####
local mydomain01.tld {
protocol imap { ssl_cert =
}
You are leaving the terrain of your distribution. That's not the intended path. /etc/pki/tls/{certs,private}/ is.
### this 10-ssl.conf ### --- FAILS (the error occurs after an email client accesses IMAP Folders) local mydomain01.tld {
protocol imap { ssl_cert =
}
local mydomain02.tld {
protocol imap { ssl_cert =
}
See above.
Why 2 times the same certificate pair files?
Make sure the permissions (and not only of the files itself) and the SELinux context is set properly. You gave zero information about that.
/var/log/mailog ### Error log ### Aug 14 12:50:38 matrix dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Aug 14 12:50:38 matrix dovecot: master: Error: service(imap-login): command startup failed, throttling for 60 secs
The key file contains "-----BEGIN PRIVATE KEY-----" as first line and "-----END PRIVATE KEY-----" as last line?
I really dont know why a single domain is no problem but if i enable multiple domains dovecots start with any error, even if i set debug verbose leven to extrem high but if i access dovecot with Thunderbird my server loggile explodes with something like this Couldn't parse private ssl_key: error:0906D06C:PEM but the certs are 100% valid and checked over and over again.
Any help is greatly appreciated!
Greetings, Dravion
Alexander
Hello Alex
Am 14.08.2015 um 19:57 schrieb Alexander Dalloz:
What have you done to exclude that SELinux interferes?
Just some sysinfo: CentOS Linux release 7.1.1503 (Core) (i run yum update every day)
sestatus: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
Run "ausearch -m avc" to check for AVCs.
There is no indication SELinux is blocking somewhat
grep "SELinux is preventing" /var/log/messages grep "denied" /var/log/audit/audit.log ausearch -m avc shows no deniead messages
### This works (Thunderbird, Outlook 2013, Opera Mail ect.) ####
local mydomain01.tld {
protocol imap { ssl_cert =
}
Sorry the above has some typo errors, forget it.
Ok, this works well:
Configfile: /etc/dovecot/conf.d/10-ssl.conf protocol imap { ssl_cert =
if i change it to protocol imap { ssl_cert =
This works well to (i can connect from a Windows box, with Mozilla Thunderbird, Microsoft Outlook 2013 an IMAP Folders are showing, EMail sending and receiving is working and the logs are show no error.
#### BUT #### If i try something like this in /etc/dovecot/conf.d/10-ssl.conf
local imap.mydomain01.tld { protocol imap { ssl_cert =
local imap.mydomain01.tld { protocol imap { ssl_cert =
It throws errors like this "imap-login "parse private ssl_key: error:0906D06C:PEM" in the logfile /var/maillog
The certs are accepted each in single domainmode but failing in multidomain mode. I have checked if local_name works (SNI) with the fully DNS Domainname or just the IP-Address but this doesnt show any effects. Multidomainmode of Dovecot is
Notes: The certs are StartSSL Domain validated free certs, pointing to imap.mydomain01.tld and imap.mydomain02.tld In single Domain mod like explained abow any of the two certificate is accepted and Thunderbird and Outlook accepting the certs as StartSSL without any warning or error message.
ps: imap.mydomain01.tld.key begins with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY----- imap.mydomain02.tld.key begins with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----
ps2: There was a hint on some website thadt dovecot needs the certs in a single *.pem file because the implementation of SNI and related code "was poorly implemented".
Thanks , Drav
### CORRECTION Am 15.08.2015 um 03:22 schrieb dravion.smith@gmx.net:
#### BUT #### If i try something like this in /etc/dovecot/conf.d/10-ssl.conf
local imap.mydomain01.tld { protocol imap { ssl_cert =
local imap.mydomain02.tld { protocol imap { ssl_cert =
It throws errors like this "imap-login "parse private ssl_key: error:0906D06C:PEM" in the logfile /var/maillog
On 08/14/15 20:30, dravion.smith@gmx.net wrote:
### CORRECTION Am 15.08.2015 um 03:22 schrieb dravion.smith@gmx.net:
#### BUT #### If i try something like this in /etc/dovecot/conf.d/10-ssl.conf
local_name imap.mydomain01.tld
local imap.mydomain01.tld { protocol imap { ssl_cert =
local_name imap.mydomain02.tld
local imap.mydomain02.tld { protocol imap { ssl_cert =
It throws errors like this "imap-login "parse private ssl_key: error:0906D06C:PEM" in the logfile /var/maillog If they are separate ip's why not try that?
local x.x.x.x { etc..
Hi Ed,
Am 15.08.2015 um 03:50 schrieb Edgar Pettijohn:
If they are separate ip's why not try that?
local x.x.x.x { etc..
This was my main source for configuring it. Yes, there are diffrent IPv6/64 Bit Addresses and dig mx resolves the correct domains to diffent aaaa addresses counterpart (imap.mydomain01.tld resolves to a diffrent IP then imap.mydomain02.tld and the corresponding StartSSL certs are correctly issued to imap.mydomain01.tld and imap.mydomain02.tld) IP as Host resolution and even SNI Hostresolution (for newer E-Mail-Client Programs) are leading allways to the same Error, if i enable multidomain hosting/multi IP Hosting. Only single Domain Hosting works with the its own certificate, thadts why iam confident the Certs are ok. The imap-login process and/or OpenSSL access by imap-login is simply failing if enable multidomain hosting with
Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
As far as my research goes the debian folks have a bug report filed under https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771334
Drav
I think you should post doveconf -n output.
On 08/14/15 20:30, dravion.smith@gmx.net wrote:
### CORRECTION Am 15.08.2015 um 03:22 schrieb dravion.smith@gmx.net:
#### BUT #### If i try something like this in /etc/dovecot/conf.d/10-ssl.conf
local imap.mydomain01.tld { protocol imap { ssl_cert =
local imap.mydomain02.tld { protocol imap { ssl_cert =
It throws errors like this "imap-login "parse private ssl_key: error:0906D06C:PEM" in the logfile /var/maillog
I think you should post doveconf -n output.
with your dovecot -n output provided this mail would not need to be sent
On 08/14/15 20:30, dravion.smith@gmx.net wrote:
### CORRECTION Am 15.08.2015 um 03:22 schrieb dravion.smith@gmx.net:
#### BUT #### If i try something like this in /etc/dovecot/conf.d/10-ssl.conf
local imap.mydomain01.tld { protocol imap { ssl_cert =
local imap.mydomain02.tld { protocol imap { ssl_cert =
It throws errors like this "imap-login "parse private ssl_key: error:0906D06C:PEM" in the logfile /var/maillog
from the dovecot
from the dovecot ssl wiki page http://wiki2.dovecot.org/SSL/DovecotConfiguration
Multiple SSL certificates Different certificates per IP and protocol
If you have multiple IPs available, this method is guaranteed to work with all clients.
[snip]
Note that you will still need a top-level "default" ssl_key and ssl_cert as well, or you will receive errors.
in addition to your two domain specific ssl certs have you also defined a "default" ssl_key and ssl_cert as required as required by the documentation?
regards
- c
Am 15.08.2015 um 08:16 schrieb Christian Kivalo:
[snip]
Note that you will still need a top-level "default" ssl_key and ssl_cert as well, or you will receive errors.
in addition to your two domain specific ssl certs have you also defined a "default" ssl_key and ssl_cert as required as required by the documentation?
regards
- c
Did you really read the wiki and thadt i allready said it was my main source??
- Domains works flawless
- If i change the domainnames and certificates it works flawless but
- If i try (like described in the Wiki you posted) i get this
"imap-login "parse private ssl_key: error:0906D06C:PEM"
Its the fucking imap-login process screwing things up without any reason if you try to configure it like described in the damm wiki!
Am 15. August 2015 08:58:04 MESZ, schrieb "dravion.smith@gmx.net" dravion.smith@gmx.net:
Am 15.08.2015 um 08:16 schrieb Christian Kivalo:
[snip]
Note that you will still need a top-level "default" ssl_key and ssl_cert as well, or you will receive errors.
in addition to your two domain specific ssl certs have you also defined a "default" ssl_key and ssl_cert as required as required by the documentation?
regards
- c
Did you really read the wiki and thadt i allready said it was my main source??
- Domains works flawless
- If i change the domainnames and certificates it works flawless but
- If i try (like described in the Wiki you posted) i get this
"imap-login "parse private ssl_key: error:0906D06C:PEM"
Its the fucking imap-login process screwing things up without any reason if you try to configure it like described in the damm wiki!
provide your multi ssl doveconf -n output.
- c
/etc/ssl $ sudo doveconf -n # 2.2.15: /etc/dovecot/dovecot.conf # OS: OpenBSD 5.7 amd64 ffs auth_mechanisms = plain login default_client_limit = 500 disable_plaintext_auth = no first_valid_uid = 1000 imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags mail_location = maildir:/var/vmail/%d/%n/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave duplicate mbox_write_locks = fcntl mmap_disable = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = scheme=BLF-CRYPT username_format=%n /etc/mail/users driver = passwd-file } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } pop3_client_workarounds = outlook-no-nuls oe-ns-eoh postmaster_address = postmaster@%d protocols = imap pop3 lmtp sieve sieve service auth { unix_listener auth-userdb { group = _smtpd mode = 0666 user = _smtpd } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } ssl_cert =
The above works as expected.
On 08/15/15 02:06, dravion.smith@gmx.net wrote:
Am 15.08.2015 um 09:04 schrieb Christian Kivalo:
provide your multi ssl doveconf -n output. - c
No. I leave this shit alone and running dovecot in multiinstance mode and now its works.
Hi Ed,
Interresting setup. I like the way you striped it all down to just one single file :-)
But can you explain why you use globally:
ssl_cert =
and certs for any additional Domain each?
## local_name mail.pettijohn-web.com { ssl_cert =
I configured it the way you do, but within the default /etc/dovecot/confd structure but i had no luck. I testet local_name (SNI), local, local <IPv6> (dedicated IPv6 Address but had no lock
Configinfo:
- MTA (Postfix 2.10.1) and MDA (Dovecot 2.2.10) configured on IPv6 Addresses
- The MTA and MDA are connected to MariaDB (the default MySQL replacement on CentOS7 now for virtual domains, users, passwords, aliaes ect
- Postfix uses Dovecots SASL Implementation and Postfix and Dovecot talking via LMTP and UNIX Sockets.
Details: ### yum info postfix ### Name : postfix Arch : x86_64 Epoche : 2 Version : 2.10.1 Release : 6.el7 Size : 12 M
From : installed From Source : debian.n-ix.net_centos_7_os_x86_64_ Summary : Postfix Mail Transport Agent URL : http://www.postfix.org License : IBM and GPLv2+ Description : Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), TLS
### yum info dovecot ### Name : dovecot Arch : i686 Epoche : 1 Version : 2.2.10 Ausgabe : 4.el7_0.1 Größe : 3.2 M Quelle : debian.n-ix.net_centos_7_os_x86_64_ Summary : Secure imap and pop3 server URL : http://www.dovecot.org/ Lizenz : MIT and LGPLv2 Description : Dovecot is an IMAP server for Linux/UNIX-like systems, written with security : primarily in mind. It also contains a small POP3 server. It supports mail : in either of maildir or mbox formats.
Cheers, Drav
participants (4)
-
Alexander Dalloz
-
Christian Kivalo
-
dravion.smith@gmx.net
-
Edgar Pettijohn