ssl_key_password loaded from file: 'Couldn't parse private ssl_key'

B. R. reallfqq-dovecot at yahoo.fr
Mon Sep 21 17:11:50 UTC 2015 

Hello,

Thanks for your answer.

I read this Wiki tip, but it does not fit, as I serve emails for several
domains, each using its iwn (potentioally enciphered) private key.
I thus need to use the directive as port of a local_name block.

I tried to create 2 blocks in 2 different files automatically loaded from
conf.d:
### private.conf ### <-- prevented read permission for other than root:root
local_name mydomain {
    ssl_key_password = mypass
}

### 10-ssl.conf ###
local_name mydomain {
    ssl_cert = <mycert
    sslkey = <mykey
}

But that failed with 'Couldn't open include file
/etc/dovecot/conf.d/private.conf: Permission denied'
Restricting rights directly on 10-ssl.conf failed with a similar error:
'Couldn't open include file /etc/dovecot/conf.d/10-ssl.conf: Permission
denied'

So far, I have not found a reliable way of using enciphered private keys
with dovecot...
---
*B. R.*

On Sun, Sep 20, 2015 at 4:00 PM, Christian Kivalo <ml+dovecot at valo.at>
wrote:

> Hi,
>
> On 2015-09-20 15:35, B. R. wrote:
>
>> As this is my first message to this ML: Hello!
>>
>> I am using a password-protected SSL key for my dovecot MDA.
>> When I tried to use the ssl_key_password configuration directive as
>> follow:
>> ssl_key_password = </path/to/passfile
>> it did not work as I logged the following:
>> dovecot: imap-login: Error: SSL: Stacked error: error:06065064:digital
>> envelope routines:EVP_DecryptFinal_ex:bad decrypt
>> dovecot: imap-login: Fatal: Couldn't parse private ssl_key:
>> error:0906A065:PEM routines:PEM_do_header:bad decrypt
>>
>> However, not using the fille inclusion but directly configuring as follow:
>> ssl_key_password = mypass
>> did work...
>>
>
> I don't know for sure but maybe its not implemented to load the password
> from a file...
>
> Reading http://wiki2.dovecot.org/SSL/DovecotConfiguration suggests to use
> an extra config file with tightened permissions that only contains the
> "ssl_key_password = $password" configuration directive and include this
> file with "!include_try $file".
>
> That way you could swap that file out automatically when renewing the
> private key.
>
> I am loading my certificate & key with the file inclusion trick... How come
>> cannot I use that for the password file?
>> It would avoid input the password directly into the dovecot configuraiton
>> files, forcing me to change permissions and duplicating it... When
>> renewing
>> the private key I will be force to edit the password at every location.
>>
>> Is it a bug? or a feature? :D
>> ---
>> *B. R.*
>>
>
> Regards
> christian
>

More information about the dovecot mailing list