Dovecot stops responding when I update SSL certificate
Joseph Tam
jtam.home at gmail.com
Sun Mar 6 02:45:58 UTC 2016
HotSlots Webmaster <webmaster at hotslots132.com> writes:
> I have had Dovecot working fine with SSL for nearly two years now. It's
> time to renew the SSL certificate, so I did (same CA). The new
> certificate works fine in Apache and Postfix. But when I update Dovecot
> to use the same certificate, and restart the server, Dovecot stops
> responding to connects.
> ...
> Here is the end of the dovecot -n file that mentions SSL:
> ...
> ssl_dh_parameters_length = 2048
When you start dovecot, does CPU load of dovecot/ssl-params roof to 100%?
It's possible it's generating ephemeral DH keys. In a previous post
to this list, I note that the run time to generate these keys can vary
wildly, and gets worse with longer keys. Sometimes you get lucky, and
you'll generate then quickly, sometimes it takes a long while (minutes).
http://dovecot.org/pipermail/dovecot/2015-November/102447.html
Try running
openssl dhparam -noout 2048
to see how it varies for you. If what I suspect is true, you can try
using shorter keys. A followup post suggest a way you can precompute
the key
Joseph Tam <jtam.home at gmail.com>
More information about the dovecot
mailing list