creation of ssl-parameters fails

Kai Schaetzl maillists at conactive.com
Mon Aug 20 14:32:58 EEST 2018


Aki Tuomi wrote on Sun, 19 Aug 2018 20:56:28 +0300 (EEST):

> openssl gendh 4096 > params.pem

Ok. I then misunderstood what's written at
https://wiki.dovecot.org/SSL/DovecotConfiguration

I thought I need to create dh.pem in two steps:

1. openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat
2. dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl 
dhparam -inform der > /etc/dovecot/dh.pem

That's what I did on the first installation. ssl-parameters.dat already 
existed and I just used the second command to transform it. Now I thought 
I must have had generated ssl-parameters.dat with the first command back 
then. But apparently I haven't.

Now I was trying to make steps 1 and 2 and that fails because the 
generated ssl-parameters.dat is apparently not the format expected.

Basically
openssl dhparam 4096 > /etc/dovecot/dh.pem
would do the trick? I misread that from the wiki.

Before reading your reply I checked
https://www.openssl.org/docs/man1.0.2/apps/dhparam.html
and tried this command:
openssl dhparam -outform DER -out /etc/dovecot/dh-new.pem -2 4096
(after reading Alexander's reply).
It just finished and dovecot seems to be working with it, although it's 
got no DH header line. At least dovecot doesn't complain when starting up.
Anyway, I'll now reuse the dh.pem from no. 1 on the other machines.

Thanks for the help!

Kai




More information about the dovecot mailing list