dovecot broken in leap 42.1

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

dovecot broken in leap 42.1

eddie-83
Having upgraded to leap 42.1 about a week ago, everything seemed fine.
Yesterday, however, I noticed that things were not happening with my mail
server (dovecot 2.2).
Checking the status using systemctl, I get the following error:

imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope
routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM
routines:PEM_read_bio:no start line
master: Error: service(imap-login): command startup failed, throttling for 2
secs

As it was working happily at one stage, I can only guess that it was broken by
an update, at some stage.

Does anyone know how to fix it please?  Has anyone else experienced this
problem?

Thanks for your help and suggestions.
Eddie
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: dovecot broken in leap 42.1

auxsvr
On Saturday, November 14, 2015 10:20:39 AM eddie wrote:

> Checking the status using systemctl, I get the following error:
>
> imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope
> routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
> imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM
> routines:PEM_read_bio:no start line
> master: Error: service(imap-login): command startup failed, throttling
> for 2 secs
>
> As it was working happily at one stage, I can only guess that it was
> broken by an update, at some stage.
>
> Does anyone know how to fix it please?  Has anyone else experienced
> this problem?

Have you edited /etc/dovecot/conf.d/10-ssl.conf to set the paths for the
keys? The old config is incompatible with the upgraded dovecot. Also,
you'll probably need to edit /etc/apparmor.d/usr.lib.dovecot.config to
allow access to the keys, if you're using apparmor.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: dovecot broken in leap 42.1

Per Jessen
In reply to this post by eddie-83
eddie wrote:

> Having upgraded to leap 42.1 about a week ago, everything seemed fine.
> Yesterday, however, I noticed that things were not happening with my
> mail server (dovecot 2.2).
> Checking the status using systemctl, I get the following error:
>
> imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope
> routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
> imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM
> routines:PEM_read_bio:no start line
> master: Error: service(imap-login): command startup failed, throttling
> for 2 secs

I think your dovecot is having trouble reading in some certificate.
If you google "imap-login: Error: SSL: Stacked error:
error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting
a ec key", you'll get a few hits, all seem to be related to malformed
certificates.



--
Per Jessen, Zürich (10.7°C)
http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: dovecot broken in leap 42.1

eddie-83
On Saturday 14 Nov 2015 11:37:27 Per Jessen wrote:

> eddie wrote:
> > Having upgraded to leap 42.1 about a week ago, everything seemed fine.
> > Yesterday, however, I noticed that things were not happening with my
> > mail server (dovecot 2.2).
> > Checking the status using systemctl, I get the following error:
> >
> > imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope
> > routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
> > imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM
> > routines:PEM_read_bio:no start line
> > master: Error: service(imap-login): command startup failed, throttling
> > for 2 secs
>
> I think your dovecot is having trouble reading in some certificate.
> If you google "imap-login: Error: SSL: Stacked error:
> error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting
> a ec key", you'll get a few hits, all seem to be related to malformed
> certificates.

The interesting thing is that the certificate was working okay before and now
the mail server has problems with it. I've tried building another one using
the tools provided by dovecot: in /usr/share/doc/packages/dovecot but still
get the same result.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: dovecot broken in leap 42.1

Marcus Meissner
On Sun, Nov 15, 2015 at 12:26:17PM +0000, eddie wrote:

> On Saturday 14 Nov 2015 11:37:27 Per Jessen wrote:
> > eddie wrote:
> > > Having upgraded to leap 42.1 about a week ago, everything seemed fine.
> > > Yesterday, however, I noticed that things were not happening with my
> > > mail server (dovecot 2.2).
> > > Checking the status using systemctl, I get the following error:
> > >
> > > imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope
> > > routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
> > > imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM
> > > routines:PEM_read_bio:no start line
> > > master: Error: service(imap-login): command startup failed, throttling
> > > for 2 secs
> >
> > I think your dovecot is having trouble reading in some certificate.
> > If you google "imap-login: Error: SSL: Stacked error:
> > error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting
> > a ec key", you'll get a few hits, all seem to be related to malformed
> > certificates.
>
> The interesting thing is that the certificate was working okay before and now
> the mail server has problems with it. I've tried building another one using
> the tools provided by dovecot: in /usr/share/doc/packages/dovecot but still
> get the same result.

We had a regression in openssl related to renegotiation and EC certificates.

Is this a client certificate?

Can you test openssl from http://download.opensuse.org/repositories/openSUSE:/Maintenance:/4194/openSUSE_Leap_42.1_Update/

and see if that helps?

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: dovecot broken in leap 42.1

eddie-83
In reply to this post by auxsvr
On Saturday 14 Nov 2015 12:33:45 auxsvr wrote:

> On Saturday, November 14, 2015 10:20:39 AM eddie wrote:
> > Checking the status using systemctl, I get the following error:
> >
> > imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope
> > routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
> > imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM
> > routines:PEM_read_bio:no start line
> > master: Error: service(imap-login): command startup failed, throttling
> > for 2 secs
> >
> > As it was working happily at one stage, I can only guess that it was
> > broken by an update, at some stage.
> >
> > Does anyone know how to fix it please?  Has anyone else experienced
> > this problem?
>
> Have you edited /etc/dovecot/conf.d/10-ssl.conf to set the paths for the
> keys? The old config is incompatible with the upgraded dovecot. Also,
> you'll probably need to edit /etc/apparmor.d/usr.lib.dovecot.config to
> allow access to the keys, if you're using apparmor.

Yes I edited /etc/dovecot/conf.d/10-ssl.conf. I wasn't using apparmor before
but I discovered that it was enabled so I unchecked the enable apparmor. Still
didn't make any difference.  You said that the old.config is incompatible.  
Which config file would that be.  Do I need to scrap everything and start from
scratch?
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: dovecot broken in leap 42.1 -- SOLVED

eddie-83
In reply to this post by Marcus Meissner
On Sunday 15 Nov 2015 13:29:40 you wrote:

> On Sun, Nov 15, 2015 at 12:26:17PM +0000, eddie wrote:
> > On Saturday 14 Nov 2015 11:37:27 Per Jessen wrote:
> > > eddie wrote:
> > > > Having upgraded to leap 42.1 about a week ago, everything seemed fine.
> > > > Yesterday, however, I noticed that things were not happening with my
> > > > mail server (dovecot 2.2).
> > > > Checking the status using systemctl, I get the following error:
> > > >
> > > > imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope
> > > > routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
> > > > imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM
> > > > routines:PEM_read_bio:no start line
> > > > master: Error: service(imap-login): command startup failed, throttling
> > > > for 2 secs
> > >
> > > I think your dovecot is having trouble reading in some certificate.
> > > If you google "imap-login: Error: SSL: Stacked error:
> > > error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting
> > > a ec key", you'll get a few hits, all seem to be related to malformed
> > > certificates.
> >
> > The interesting thing is that the certificate was working okay before and
> > now the mail server has problems with it. I've tried building another one
> > using the tools provided by dovecot: in /usr/share/doc/packages/dovecot
> > but still get the same result.
>
> We had a regression in openssl related to renegotiation and EC certificates.
>
> Is this a client certificate?
>
> Can you test openssl from
> http://download.opensuse.org/repositories/openSUSE:/Maintenance:/4194/openS
> USE_Leap_42.1_Update/
>
> and see if that helps?
>
> Ciao, Marcus

Thank you Marcus,
Your message helped me to solve the problem.  I wasn't sure whether it was a
server or client certificate. So I did some reading. Having convinced myself
that it was a server certificate. Checking the dovecot's mkcert.sh I found
discrepancies which when I corrected, I was able to get the server up and
running.

I did test openssl from the maintenance site and that seemed to work okay too.  
In fact, I did the initial test with that version and then reset everything
and tried again the original version.  Both worked okay.  

Thanks very much to all who replied and tried to assist.  It was very much
appreciated.
Eddie
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: dovecot broken in leap 42.1 -- SOLVED details

eddie-83
In reply to this post by Marcus Meissner
On Sunday 15 Nov 2015 13:29:40 you wrote:

> On Sun, Nov 15, 2015 at 12:26:17PM +0000, eddie wrote:
> > On Saturday 14 Nov 2015 11:37:27 Per Jessen wrote:
> > > eddie wrote:
> > > > Having upgraded to leap 42.1 about a week ago, everything seemed fine.
> > > > Yesterday, however, I noticed that things were not happening with my
> > > > mail server (dovecot 2.2).
> > > > Checking the status using systemctl, I get the following error:
> > > >
> > > > imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope
> > > > routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
> > > > imap-login: Fatal: Can't load ssl_cert: error:0906D06C:PEM
> > > > routines:PEM_read_bio:no start line
> > > > master: Error: service(imap-login): command startup failed, throttling
> > > > for 2 secs
> > >
> > > I think your dovecot is having trouble reading in some certificate.
> > > If you google "imap-login: Error: SSL: Stacked error:
> > > error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting
> > > a ec key", you'll get a few hits, all seem to be related to malformed
> > > certificates.
> >
> > The interesting thing is that the certificate was working okay before and
> > now the mail server has problems with it. I've tried building another one
> > using the tools provided by dovecot: in /usr/share/doc/packages/dovecot
> > but still get the same result.
>
> We had a regression in openssl related to renegotiation and EC certificates.
>
> Is this a client certificate?
>
> Can you test openssl from
> http://download.opensuse.org/repositories/openSUSE:/Maintenance:/4194/openS
> USE_Leap_42.1_Update/
>
> and see if that helps?
>
> Ciao, Marcus


Oh I guess I should have detailed the problem.

in the original mkcert.sh it had the following lines

CERTDIR=$SSLDIR/private
KEYDIR=$SSLDIR/private

CERTFILE=$CERTDIR/dovecot.crt
KEYFILE=$KEYDIR/dovecot.pem

if [ ! -d $CERTDIR ]; then
  echo "$SSLDIR/certs directory doesn't exist"
  exit 1
fi

In my 10-ssl.conf file I had the following

ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem


The changes I made were:

in the mkcert.sh file


CERTDIR=$SSLDIR/certs                       <--------
KEYDIR=$SSLDIR/private

CERTFILE=$CERTDIR/dovecot.crt
KEYFILE=$KEYDIR/dovecot.pem

In my 10-ssl.conf file I put

ssl_cert = </etc/ssl/certs/dovecot.crt               <--------
ssl_key = </etc/ssl/private/dovecot.pem


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: dovecot broken in leap 42.1 -- SOLVED details

Marcus Rueckert-3
On 2015-11-15 14:27:39 +0000, eddie wrote:
> CERTDIR=$SSLDIR/private
> KEYDIR=$SSLDIR/private

both in private was actually intentional. /etc/ssl/certs/ is maintained
by a script which will delete your cert files.

    darix

--
           openSUSE - SUSE Linux is my linux
               openSUSE is good for you
                   www.opensuse.org
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: dovecot broken in leap 42.1 -- SOLVED details

eddie-83
On Sunday 15 Nov 2015 21:55:39 Marcus Rueckert wrote:
> On 2015-11-15 14:27:39 +0000, eddie wrote:
> > CERTDIR=$SSLDIR/private
> > KEYDIR=$SSLDIR/private
>
> both in private was actually intentional. /etc/ssl/certs/ is maintained
> by a script which will delete your cert files.
>
>     darix

Thanks that is useful to know I will relocate my file.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: dovecot broken in leap 42.1 -- SOLVED details

Bjoern Voigt
In reply to this post by Marcus Rueckert-3
Marcus Rueckert wrote:
> On 2015-11-15 14:27:39 +0000, eddie wrote:
>> CERTDIR=$SSLDIR/private
>> KEYDIR=$SSLDIR/private
> both in private was actually intentional. /etc/ssl/certs/ is maintained
> by a script which will delete your cert files.
Which script? /usr/sbin/update-ca-certificates ?

Why does this script delete user defined certificates? Where should
I place user defined certificates else?

Greetings,
Björn
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: dovecot broken in leap 42.1 -- SOLVED details

Marcus Rueckert-3
On 2015-11-24 10:31:47 +0100, Bjoern Voigt wrote:
> Marcus Rueckert wrote:
> > On 2015-11-15 14:27:39 +0000, eddie wrote:
> >> CERTDIR=$SSLDIR/private
> >> KEYDIR=$SSLDIR/private
> > both in private was actually intentional. /etc/ssl/certs/ is maintained
> > by a script which will delete your cert files.
> Which script? /usr/sbin/update-ca-certificates ?
>
> Why does this script delete user defined certificates?

/etc/ssl/certs/ is meant to have CA certs only.

> Where should I place user defined certificates else?

/etc/ssl/private/

    darix

--
           openSUSE - SUSE Linux is my linux
               openSUSE is good for you
                   www.opensuse.org
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: dovecot broken in leap 42.1 -- SOLVED details

Bjoern Voigt
Marcus Rueckert wrote:

> On 2015-11-24 10:31:47 +0100, Bjoern Voigt wrote:
>> Marcus Rueckert wrote:
>>> On 2015-11-15 14:27:39 +0000, eddie wrote:
>>>> CERTDIR=$SSLDIR/private
>>>> KEYDIR=$SSLDIR/private
>>> both in private was actually intentional. /etc/ssl/certs/ is maintained
>>> by a script which will delete your cert files.
>> Which script? /usr/sbin/update-ca-certificates ?
>>
>> Why does this script delete user defined certificates?
> /etc/ssl/certs/ is meant to have CA certs only.
>
>> Where should I place user defined certificates else?
> /etc/ssl/private/
OK, I see, /etc/ssl/certs is a symlink to
/var/lib/ca-certificates/pem/ on openSUSE. /etc/ssl/private/ looks
like a location for private certificates. CA certificates for
validation purpose can not be placed here, because it's only
accessible for root:

$ ls -ld /etc/ssl/private/
drwx------ 2 root root 4096 17. Jun 15:37 /etc/ssl/private/

I wonder, where I should place additional (non-default) CA
certificates. Until now I used /etc/ssl/certs for them.

Greetings,
Björn
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]