/etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
Hi,
this is not a genuine Dovecot bug, more a nuisance. It applies to OpenSuse 13.2 but maybe also to other Linux's.
The standard installation of Dovecot (especially 10-ssl.conf) places the certificate dovecot.pem in /etc/ssl/certs. Sometimes during updates does OpenSuse renew all certificates in /etc/ssl/certs and erases dovecot.pem. This blocks further access to the mailbox.
I found a similar report here: https://bbs.archlinux.de/viewtopic.php?id=27288
Workaround: Move dovecot.pem to another directory and change 10-ssl.conf accordingly.
Regards
Wolfgang Gross
-- Dr. W. Gross Sektion Chirurgische Forschung Klinik für Allgemein-, Viszeral- und Transplantationschirurgie Universitätsklinikum Heidelberg Im Neuenheimer Feld 365, D-69120 Heidelberg, Germany Tel. ++49 (0)6221/566392, Fax: ++49 (0)6221/566402 WGross@uni-hd.de
This directory in later times is where more and more distros are putting system wide server CA type certs, most distros are moving to this path, so the package maintainer should fix their script, maybe to /etc/ssl/private or such.
On 2/16/15, Wolfgang Gross <WGross@uni-hd.de> wrote:
Hi,
this is not a genuine Dovecot bug, more a nuisance. It applies to OpenSuse 13.2 but maybe also to other Linux's.
The standard installation of Dovecot (especially 10-ssl.conf) places the certificate dovecot.pem in /etc/ssl/certs. Sometimes during updates does OpenSuse renew all certificates in /etc/ssl/certs and erases dovecot.pem. This blocks further access to the mailbox.
I found a similar report here: https://bbs.archlinux.de/viewtopic.php?id=27288
Workaround: Move dovecot.pem to another directory and change 10-ssl.conf accordingly.
Regards
Wolfgang Gross
-- Dr. W. Gross Sektion Chirurgische Forschung Klinik für Allgemein-, Viszeral- und Transplantationschirurgie Universitätsklinikum Heidelberg Im Neuenheimer Feld 365, D-69120 Heidelberg, Germany Tel. ++49 (0)6221/566392, Fax: ++49 (0)6221/566402 WGross@uni-hd.de
On 16 Feb 2015 at 21:59, Nick Edwards wrote:
This directory in later times is where more and more distros are putting system wide server CA type certs, most distros are moving to this path, so the package maintainer should fix their script, maybe to /etc/ssl/private or such.
Maybe not in /etc/ssl/private for security reasons? 10-ssl.conf uses the same file name for certificate and private key; better change this, too.
On 2/16/15, Wolfgang Gross <WGross@uni-hd.de> wrote:
Hi,
this is not a genuine Dovecot bug, more a nuisance. It applies to OpenSuse 13.2 but maybe also to other Linux's.
The standard installation of Dovecot (especially 10-ssl.conf) places the certificate dovecot.pem in /etc/ssl/certs. Sometimes during updates does OpenSuse renew all certificates in /etc/ssl/certs and erases dovecot.pem. This blocks further access to the mailbox.
I found a similar report here: https://bbs.archlinux.de/viewtopic.php?id=27288
On Mon, 16 Feb 2015 10:09:16 +0100 "Wolfgang Gross" <WGross@uni-hd.de> wrote:
Hi,
this is not a genuine Dovecot bug, more a nuisance. It applies to OpenSuse 13.2 but maybe also to other Linux's.
The standard installation of Dovecot (especially 10-ssl.conf) places the certificate dovecot.pem in /etc/ssl/certs. Sometimes during updates does OpenSuse renew all certificates in /etc/ssl/certs and erases dovecot.pem. This blocks further access to the mailbox.
I found a similar report here: https://bbs.archlinux.de/viewtopic.php?id=27288
Workaround: Move dovecot.pem to another directory and change 10-ssl.conf accordingly.
This is *not* our update mechanism. This is update-ca-certificates, which will wipe /etc/ssl/certs/ when it is called. This can happen to you on any distro using it. My recommendation is to use /etc/ssl/private/ for all service related files. Certs and keys.
HTH
darix
-- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
participants (3)
-
Marcus Rückert
-
Nick Edwards
-
Wolfgang Gross