Dovecot stops responding when I update SSL certificate
aki.tuomi at dovecot.fi
aki.tuomi at dovecot.fi
Sun Mar 6 09:14:06 UTC 2016
> On March 6, 2016 at 4:45 AM Joseph Tam <jtam.home at gmail.com> wrote:
>
>
> HotSlots Webmaster <webmaster at hotslots132.com> writes:
>
> > I have had Dovecot working fine with SSL for nearly two years now. It's
> > time to renew the SSL certificate, so I did (same CA). The new
> > certificate works fine in Apache and Postfix. But when I update Dovecot
> > to use the same certificate, and restart the server, Dovecot stops
> > responding to connects.
> > ...
> > Here is the end of the dovecot -n file that mentions SSL:
> > ...
> > ssl_dh_parameters_length = 2048
>
> When you start dovecot, does CPU load of dovecot/ssl-params roof to 100%?
> It's possible it's generating ephemeral DH keys. In a previous post
> to this list, I note that the run time to generate these keys can vary
> wildly, and gets worse with longer keys. Sometimes you get lucky, and
> you'll generate then quickly, sometimes it takes a long while (minutes).
>
> http://dovecot.org/pipermail/dovecot/2015-November/102447.html
>
> Try running
>
> openssl dhparam -noout 2048
>
> to see how it varies for you. If what I suspect is true, you can try
> using shorter keys. A followup post suggest a way you can precompute
> the key
>
> Joseph Tam <jtam.home at gmail.com>
We are going to provide ssl_dh parameter in v2.3 which replaces the current ssl
parameters daemon with simple PEM encoded file that you provide.
---
Aki Tuomi
Dovecot Oy
More information about the dovecot
mailing list