[opensuse] dovecot broken in leap 42.1
Having upgraded to leap 42.1 about a week ago, everything seemed fine. Yesterday, however, I noticed that things were not happening with my mail server (dovecot 2.2). Checking the status using systemctl, I get the following error: imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line master: Error: service(imap-login): command startup failed, throttling for 2 secs As it was working happily at one stage, I can only guess that it was broken by an update, at some stage. Does anyone know how to fix it please? Has anyone else experienced this problem? Thanks for your help and suggestions. Eddie -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Saturday, November 14, 2015 10:20:39 AM eddie wrote:
Checking the status using systemctl, I get the following error:
imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line master: Error: service(imap-login): command startup failed, throttling for 2 secs
As it was working happily at one stage, I can only guess that it was broken by an update, at some stage.
Does anyone know how to fix it please? Has anyone else experienced this problem?
Have you edited /etc/dovecot/conf.d/10-ssl.conf to set the paths for the keys? The old config is incompatible with the upgraded dovecot. Also, you'll probably need to edit /etc/apparmor.d/usr.lib.dovecot.config to allow access to the keys, if you're using apparmor. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Saturday 14 Nov 2015 12:33:45 auxsvr wrote:
On Saturday, November 14, 2015 10:20:39 AM eddie wrote:
Checking the status using systemctl, I get the following error:
imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line master: Error: service(imap-login): command startup failed, throttling for 2 secs
As it was working happily at one stage, I can only guess that it was broken by an update, at some stage.
Does anyone know how to fix it please? Has anyone else experienced this problem?
Have you edited /etc/dovecot/conf.d/10-ssl.conf to set the paths for the keys? The old config is incompatible with the upgraded dovecot. Also, you'll probably need to edit /etc/apparmor.d/usr.lib.dovecot.config to allow access to the keys, if you're using apparmor.
Yes I edited /etc/dovecot/conf.d/10-ssl.conf. I wasn't using apparmor before but I discovered that it was enabled so I unchecked the enable apparmor. Still didn't make any difference. You said that the old.config is incompatible. Which config file would that be. Do I need to scrap everything and start from scratch? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
eddie wrote:
Having upgraded to leap 42.1 about a week ago, everything seemed fine. Yesterday, however, I noticed that things were not happening with my mail server (dovecot 2.2). Checking the status using systemctl, I get the following error:
imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line master: Error: service(imap-login): command startup failed, throttling for 2 secs
I think your dovecot is having trouble reading in some certificate. If you google "imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key", you'll get a few hits, all seem to be related to malformed certificates. -- Per Jessen, Zürich (10.7°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Saturday 14 Nov 2015 11:37:27 Per Jessen wrote:
eddie wrote:
Having upgraded to leap 42.1 about a week ago, everything seemed fine. Yesterday, however, I noticed that things were not happening with my mail server (dovecot 2.2). Checking the status using systemctl, I get the following error:
imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line master: Error: service(imap-login): command startup failed, throttling for 2 secs
I think your dovecot is having trouble reading in some certificate. If you google "imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key", you'll get a few hits, all seem to be related to malformed certificates.
The interesting thing is that the certificate was working okay before and now the mail server has problems with it. I've tried building another one using the tools provided by dovecot: in /usr/share/doc/packages/dovecot but still get the same result. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Nov 15, 2015 at 12:26:17PM +0000, eddie wrote:
On Saturday 14 Nov 2015 11:37:27 Per Jessen wrote:
eddie wrote:
Having upgraded to leap 42.1 about a week ago, everything seemed fine. Yesterday, however, I noticed that things were not happening with my mail server (dovecot 2.2). Checking the status using systemctl, I get the following error:
imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line master: Error: service(imap-login): command startup failed, throttling for 2 secs
I think your dovecot is having trouble reading in some certificate. If you google "imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key", you'll get a few hits, all seem to be related to malformed certificates.
The interesting thing is that the certificate was working okay before and now the mail server has problems with it. I've tried building another one using the tools provided by dovecot: in /usr/share/doc/packages/dovecot but still get the same result.
We had a regression in openssl related to renegotiation and EC certificates. Is this a client certificate? Can you test openssl from http://download.opensuse.org/repositories/openSUSE:/Maintenance:/4194/openSU... and see if that helps? Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday 15 Nov 2015 13:29:40 you wrote:
On Sun, Nov 15, 2015 at 12:26:17PM +0000, eddie wrote:
On Saturday 14 Nov 2015 11:37:27 Per Jessen wrote:
eddie wrote:
Having upgraded to leap 42.1 about a week ago, everything seemed fine. Yesterday, however, I noticed that things were not happening with my mail server (dovecot 2.2). Checking the status using systemctl, I get the following error:
imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line master: Error: service(imap-login): command startup failed, throttling for 2 secs
I think your dovecot is having trouble reading in some certificate. If you google "imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key", you'll get a few hits, all seem to be related to malformed certificates.
The interesting thing is that the certificate was working okay before and now the mail server has problems with it. I've tried building another one using the tools provided by dovecot: in /usr/share/doc/packages/dovecot but still get the same result.
We had a regression in openssl related to renegotiation and EC certificates.
Is this a client certificate?
Can you test openssl from http://download.opensuse.org/repositories/openSUSE:/Maintenance:/4194/openS USE_Leap_42.1_Update/
and see if that helps?
Ciao, Marcus
Thank you Marcus, Your message helped me to solve the problem. I wasn't sure whether it was a server or client certificate. So I did some reading. Having convinced myself that it was a server certificate. Checking the dovecot's mkcert.sh I found discrepancies which when I corrected, I was able to get the server up and running. I did test openssl from the maintenance site and that seemed to work okay too. In fact, I did the initial test with that version and then reset everything and tried again the original version. Both worked okay. Thanks very much to all who replied and tried to assist. It was very much appreciated. Eddie -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday 15 Nov 2015 13:29:40 you wrote:
On Sun, Nov 15, 2015 at 12:26:17PM +0000, eddie wrote:
On Saturday 14 Nov 2015 11:37:27 Per Jessen wrote:
eddie wrote:
Having upgraded to leap 42.1 about a week ago, everything seemed fine. Yesterday, however, I noticed that things were not happening with my mail server (dovecot 2.2). Checking the status using systemctl, I get the following error:
imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line master: Error: service(imap-login): command startup failed, throttling for 2 secs
I think your dovecot is having trouble reading in some certificate. If you google "imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key", you'll get a few hits, all seem to be related to malformed certificates.
The interesting thing is that the certificate was working okay before and now the mail server has problems with it. I've tried building another one using the tools provided by dovecot: in /usr/share/doc/packages/dovecot but still get the same result.
We had a regression in openssl related to renegotiation and EC certificates.
Is this a client certificate?
Can you test openssl from http://download.opensuse.org/repositories/openSUSE:/Maintenance:/4194/openS USE_Leap_42.1_Update/
and see if that helps?
Ciao, Marcus
Oh I guess I should have detailed the problem. in the original mkcert.sh it had the following lines CERTDIR=$SSLDIR/private KEYDIR=$SSLDIR/private CERTFILE=$CERTDIR/dovecot.crt KEYFILE=$KEYDIR/dovecot.pem if [ ! -d $CERTDIR ]; then echo "$SSLDIR/certs directory doesn't exist" exit 1 fi In my 10-ssl.conf file I had the following ssl_cert =
On 2015-11-15 14:27:39 +0000, eddie wrote:
CERTDIR=$SSLDIR/private KEYDIR=$SSLDIR/private
both in private was actually intentional. /etc/ssl/certs/ is maintained by a script which will delete your cert files. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday 15 Nov 2015 21:55:39 Marcus Rueckert wrote:
On 2015-11-15 14:27:39 +0000, eddie wrote:
CERTDIR=$SSLDIR/private KEYDIR=$SSLDIR/private
both in private was actually intentional. /etc/ssl/certs/ is maintained by a script which will delete your cert files.
darix
Thanks that is useful to know I will relocate my file. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Rueckert wrote:
On 2015-11-15 14:27:39 +0000, eddie wrote:
CERTDIR=$SSLDIR/private KEYDIR=$SSLDIR/private both in private was actually intentional. /etc/ssl/certs/ is maintained by a script which will delete your cert files. Which script? /usr/sbin/update-ca-certificates ?
Why does this script delete user defined certificates? Where should I place user defined certificates else? Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-11-24 10:31:47 +0100, Bjoern Voigt wrote:
Marcus Rueckert wrote:
On 2015-11-15 14:27:39 +0000, eddie wrote:
CERTDIR=$SSLDIR/private KEYDIR=$SSLDIR/private both in private was actually intentional. /etc/ssl/certs/ is maintained by a script which will delete your cert files. Which script? /usr/sbin/update-ca-certificates ?
Why does this script delete user defined certificates?
/etc/ssl/certs/ is meant to have CA certs only.
Where should I place user defined certificates else?
/etc/ssl/private/ darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-11-24 10:31:47 +0100, Bjoern Voigt wrote:
Marcus Rueckert wrote:
On 2015-11-15 14:27:39 +0000, eddie wrote:
CERTDIR=$SSLDIR/private KEYDIR=$SSLDIR/private both in private was actually intentional. /etc/ssl/certs/ is maintained by a script which will delete your cert files. Which script? /usr/sbin/update-ca-certificates ?
Why does this script delete user defined certificates? /etc/ssl/certs/ is meant to have CA certs only.
Where should I place user defined certificates else? /etc/ssl/private/ OK, I see, /etc/ssl/certs is a symlink to /var/lib/ca-certificates/pem/ on openSUSE. /etc/ssl/private/ looks
Marcus Rueckert wrote: like a location for private certificates. CA certificates for validation purpose can not be placed here, because it's only accessible for root: $ ls -ld /etc/ssl/private/ drwx------ 2 root root 4096 17. Jun 15:37 /etc/ssl/private/ I wonder, where I should place additional (non-default) CA certificates. Until now I used /etc/ssl/certs for them. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
auxsvr -
Bjoern Voigt -
eddie -
Marcus Meissner -
Marcus Rueckert -
Per Jessen