ssl_key_password loaded from file: 'Couldn't parse private ssl_key'

Edgar Pettijohn edgar at pettijohn-web.com
Mon Sep 21 22:20:04 UTC 2015 


On 09/21/2015 12:11 PM, B. R. wrote:
> Hello,
>
> Thanks for your answer.
>
> I read this Wiki tip, but it does not fit, as I serve emails for several
> domains, each using its iwn (potentioally enciphered) private key.
> I thus need to use the directive as port of a local_name block.
>
> I tried to create 2 blocks in 2 different files automatically loaded from
> conf.d:
> ### private.conf ### <-- prevented read permission for other than root:root
> local_name mydomain {
>      ssl_key_password = mypass
> }
>
> ### 10-ssl.conf ###
> local_name mydomain {
>      ssl_cert = <mycert
>      sslkey = <mykey
> }
Maybe try:

private.conf

local_name mydomain {
     ssl_key_password = password
     ssl_cert = </path/to/cert
     ssl_key = </path/to/key
}

I don't know if it will work or not, but it looks good.


> But that failed with 'Couldn't open include file
> /etc/dovecot/conf.d/private.conf: Permission denied'
> Restricting rights directly on 10-ssl.conf failed with a similar error:
> 'Couldn't open include file /etc/dovecot/conf.d/10-ssl.conf: Permission
> denied'
>
> So far, I have not found a reliable way of using enciphered private keys
> with dovecot...
> ---
> *B. R.*
>
> On Sun, Sep 20, 2015 at 4:00 PM, Christian Kivalo <ml+dovecot at valo.at>
> wrote:
>
>> Hi,
>>
>> On 2015-09-20 15:35, B. R. wrote:
>>
>>> As this is my first message to this ML: Hello!
>>>
>>> I am using a password-protected SSL key for my dovecot MDA.
>>> When I tried to use the ssl_key_password configuration directive as
>>> follow:
>>> ssl_key_password = </path/to/passfile
>>> it did not work as I logged the following:
>>> dovecot: imap-login: Error: SSL: Stacked error: error:06065064:digital
>>> envelope routines:EVP_DecryptFinal_ex:bad decrypt
>>> dovecot: imap-login: Fatal: Couldn't parse private ssl_key:
>>> error:0906A065:PEM routines:PEM_do_header:bad decrypt
>>>
>>> However, not using the fille inclusion but directly configuring as follow:
>>> ssl_key_password = mypass
>>> did work...
>>>
>> I don't know for sure but maybe its not implemented to load the password
>> from a file...
>>
>> Reading http://wiki2.dovecot.org/SSL/DovecotConfiguration suggests to use
>> an extra config file with tightened permissions that only contains the
>> "ssl_key_password = $password" configuration directive and include this
>> file with "!include_try $file".
>>
>> That way you could swap that file out automatically when renewing the
>> private key.
>>
>> I am loading my certificate & key with the file inclusion trick... How come
>>> cannot I use that for the password file?
>>> It would avoid input the password directly into the dovecot configuraiton
>>> files, forcing me to change permissions and duplicating it... When
>>> renewing
>>> the private key I will be force to edit the password at every location.
>>>
>>> Is it a bug? or a feature? :D
>>> ---
>>> *B. R.*
>>>
>> Regards
>> christian
>>

More information about the dovecot mailing list