Problem with Let's Encrypt Certificate

Shawn Heisey elyograg at elyograg.org
Fri Feb 17 22:26:38 UTC 2017


On 2/17/2017 2:38 PM, chaouche yacine wrote:
> Seems wrong to me too, Robert. If you put your private key inside your certificate, won't it be sent to the client along with it ?

The private key should not be sent to the connecting client, even if it
is contained in the same place as the certificate(s).  If that data *is*
sent to the client, that's a bug, probably in the SSL library (usually
openssl).

I am not using letsencrypt for my personal install, but my certificate
provider does use one intermediate, just like letsencrypt does.  I have
the server certificate, the intermediate certificate, and the private
key all in the same file, and my dovecot config contains these lines,
both referring to that file:

ssl_cert_file = /etc/ssl/certs/local/imap.REDACTED.com.pem
ssl_key_file = /etc/ssl/certs/local/imap.REDACTED.com.pem

This file is owned by root and has 600 permissions.  Because root
permissions are required in order to bind to port numbers below 1024,
dovecot typically will initially start as root, then drop permissions as
required.

hostname:/etc/ssl/certs/local# ls -al imap.REDACTED.com.pem
-rw------- 1 root root 6266 Jan  6 20:47 imap.REDACTED.com.pem

Thanks,
Shawn



More information about the dovecot mailing list