Re: Dovecot stops responding when I update SSL certificate
HotSlots Webmaster webmaster@hotslots132.com writes:
I have had Dovecot working fine with SSL for nearly two years now. It's time to renew the SSL certificate, so I did (same CA). The new certificate works fine in Apache and Postfix. But when I update Dovecot to use the same certificate, and restart the server, Dovecot stops responding to connects. ... Here is the end of the dovecot -n file that mentions SSL: ... ssl_dh_parameters_length = 2048
When you start dovecot, does CPU load of dovecot/ssl-params roof to 100%? It's possible it's generating ephemeral DH keys. In a previous post to this list, I note that the run time to generate these keys can vary wildly, and gets worse with longer keys. Sometimes you get lucky, and you'll generate then quickly, sometimes it takes a long while (minutes).
http://dovecot.org/pipermail/dovecot/2015-November/102447.htmlTry running
openssl dhparam -noout 2048to see how it varies for you. If what I suspect is true, you can try using shorter keys. A followup post suggest a way you can precompute the key
Joseph Tam jtam.home@gmail.com
On March 6, 2016 at 4:45 AM Joseph Tam jtam.home@gmail.com wrote:
HotSlots Webmaster webmaster@hotslots132.com writes:
I have had Dovecot working fine with SSL for nearly two years now. It's time to renew the SSL certificate, so I did (same CA). The new certificate works fine in Apache and Postfix. But when I update Dovecot to use the same certificate, and restart the server, Dovecot stops responding to connects. ... Here is the end of the dovecot -n file that mentions SSL: ... ssl_dh_parameters_length = 2048
When you start dovecot, does CPU load of dovecot/ssl-params roof to 100%? It's possible it's generating ephemeral DH keys. In a previous post to this list, I note that the run time to generate these keys can vary wildly, and gets worse with longer keys. Sometimes you get lucky, and you'll generate then quickly, sometimes it takes a long while (minutes).
http://dovecot.org/pipermail/dovecot/2015-November/102447.html
Try running
openssl dhparam -noout 2048
to see how it varies for you. If what I suspect is true, you can try using shorter keys. A followup post suggest a way you can precompute the key
Joseph Tam jtam.home@gmail.com
We are going to provide ssl_dh parameter in v2.3 which replaces the current ssl parameters daemon with simple PEM encoded file that you provide.
Aki Tuomi Dovecot Oy
aki.tuomi:
We are going to provide ssl_dh parameter in v2.3 which replaces the
current ssl parameters daemon with simple PEM encoded file that you
provide.
good thing. that simplify the process of dh regeneration to a method
admins are more familiar with.
Aki Tuomi Dovecot Oy
participants (3)
-
A. Schulze
-
aki.tuomi@dovecot.fi
-
Joseph Tam