Dovecot 2.4.1-4: Server SSL cert loaded in ssl_server_settings_check but lost in openssl_iostream_use_certificate_error
Dear dovecot mailing list, Maybe you'll have an idea. I upgraded from Debian bookworm to trixie this morning. Along with this upgrade, dovecot went to 2.4.1 . I adapted the configuration files. The server starts but the clients cannot retrieve emails. The error message in the logs is: dovecot: pop3-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't load SSL certificate (ssl_server_cert_file setting): The certificate is empty
In iostream-openssl-context.c:ssl_iostream_context_set(), I adapted this error message to see whether a path could be found for this server cert file:
t_strdup_printf(
"Can't load SSL certificate (%s setting with path '%s'): %s",
ctx->client_ctx ? "ssl_client_cert_file" :
"ssl_server_cert_file",
set->cert.cert.path, openssl_iostream_use_certificate_error(set->cert.cert.content) The outcome was that the path is empty as well:dovecot: pop3-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't load SSL certificate (ssl_server_cert_file setting with path ''): The certificate is empty
Then, I adapted ssl-settings.c:ssl_server_settings_check() to show the content of the server certificate file at that stage (with stdio):FILE *file_ptr;file_ptr=fopen("/tmp/output.txt","a");if(file_ptr!=NULL){fprintf(file_ptr,"server check %s\n",set->ssl_server_cert_file);fclose(file_ptr);}
The outcome was that the file is not empty at this stage: server check /etc/letsencrypt/live/<MY_SERVER>/fullchain.pem
-----BEGIN CERTIFICATE-----
<MY_CERT>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<MY_CERT> -----END CERTIFICATE----- Is there any potential reason for this disappearance between the calls? Thanks! Louis.
Dear dovecot mailing list, Maybe you'll have an idea. I upgraded from Debian bookworm to trixie this morning. Along with this upgrade, dovecot went to 2.4.1 . I adapted the configuration files. The server starts but the clients cannot retrieve emails. The error message in the logs is:
dovecot: pop3-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't load SSL certificate (ssl_server_cert_file setting): The certificate is empty
In iostream-openssl-context.c:ssl_iostream_context_set(), I adapted this error message to see whether a path could be found for this server cert file:
t_strdup_printf(
"Can't load SSL certificate (%s setting with path'%s'): %s",
ctx->client_ctx ? "ssl_client_cert_file" :
"ssl_server_cert_file",
set->cert.cert.path,openssl_iostream_use_certificate_error(set->cert.cert.content) The outcome was that the path is empty as well: dovecot: pop3-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't load SSL certificate (ssl_server_cert_file setting with path ''): The certificate is empty Then, I adapted ssl-settings.c:ssl_server_settings_check() to show the content of the server certificate file at that stage (with stdio): FILE *file_ptr;file_ptr=fopen("/tmp/output.txt","a");if(file_ptr!=NULL){fprintf(file_ptr,"server check %s\n",set->ssl_server_cert_file);fclose(file_ptr);} The outcome was that the file is not empty at this stage:
server check /etc/letsencrypt/live/<MY_SERVER>/fullchain.pem
-----BEGIN CERTIFICATE-----
<MY_CERT>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<MY_CERT>
-----END CERTIFICATE----- Is there any potential reason for this disappearance between the calls? Thanks! Louis.
On 23/08/25, Louis Villedieu via dovecot (dovecot@dovecot.org) wrote:
Dear dovecot mailing list,
Maybe you'll have an idea.
I upgraded from Debian bookworm to trixie this morning. Along with this upgrade, dovecot went to 2.4.1 . I adapted the configuration files. The server starts but the clients cannot retrieve emails. The error message in the logs is:
dovecot: pop3-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't load SSL certificate (ssl_server_cert_file setting): The certificate is empty
It would be helpful if you could share the ssl-related parts of your configuration files, anonymised as necessary.
Perhaps it is as simple as a path error?
Typically, the top-level ssl settings (as I understand it) should be
ssl = yes
ssl_server_cert_file = path_to_fullchain.pem
ssl_server_key_file = path_to_private_key.pemI think you can also configure this as follows:
# example ssl config
ssl = yes
ssl_server {
cert_file = /etc/dovecot/certs/server.crt
key_file = /etc/dovecot/certs/server.key
}You can also have per host keys using the following configuration stanza:
# https://doc.dovecot.org/2.4.1/core/config/ssl.html#with-client-tls-sni-server-name-indication-support
local_name example.net {
ssl_server_cert_file = /etc/dovecot/certs/example.crt
ssl_server_key_file = /etc/dovecot/certs/example.key
}On 23. Aug 2025, at 23.43, Louis Villedieu via dovecot <dovecot@dovecot.org> wrote:
Dear dovecot mailing list, Maybe you'll have an idea. I upgraded from Debian bookworm to trixie this morning. Along with this upgrade, dovecot went to 2.4.1 . I adapted the configuration files. The server starts but the clients cannot retrieve emails. The error message in the logs is:
dovecot: pop3-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't load SSL certificate (ssl_server_cert_file setting): The certificate is empty
It's at least not a common problem, since many people are successfully running it. So a bit difficult to say. doveconf -n output might be helpful. You can also debug it further with:
In iostream-openssl-context.c:ssl_iostream_context_set(), I adapted this error message to see whether a path could be found for this server cert file:
t_strdup_printf(
"Can't load SSL certificate (%s setting with path'%s'): %s",
ctx->client_ctx ? "ssl_client_cert_file" : "ssl_server_cert_file", set->cert.cert.path,openssl_iostream_use_certificate_error(set->cert.cert.content)
You can attach gdb here to this place. Add code:
raise(SIGSTOP);
And early into file #include <signal.h>
Now when this error is reached, the process is stopped and you can: gdb -p <pid of stopped imap-login process>
There you can inspect the settings where it goes wrong. Especially it seems in io_stream_autocreate_ssl_server() "ssl_server_set" contains the correct path but "set" doesn't?
participants (3)
-
Louis Villedieu
-
Rory Campbell-Lange
-
Timo Sirainen