I just updated my server from Debian Bullseye to Bookworm and all it's been working well except dovecot complains that can't open the fullchain.pem file (permission denied).
I checked the permissions and all seems to be ok. What's more I have another server with the same configuration still on Debian Bullseye when it's running well without this problem.
I tried to regenerate the letsencrypt certificate, and although it did regenerate it, the issue still persists.
I found someone with the same problem here Dovecot cannot read TLS certificate - Server Fault, but I don't have SELinux installed, only Apparmor. But the settings are the same on both of my servers and I don't think the problem is coming because of Apparmor?
These are errors:
2023-06-11T23:30:02.033356+02:00 xxxxdev postfix/local: F121D41B4F: to=<firstname.lastname@example.org>, orig_to=<xxxx>, relay=local, delay=0.07, delays=0.03/0.01/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 24: ssl_ca: Can't open file /etc/letsencrypt/live/xxxxdev.com/fullchain.pem: Permission denied ) 2023-06-11T23:30:02.036054+02:00 xxxxdev postfix/local: F300641B4D: to=<email@example.com>, orig_to=<xxxx>, relay=local, delay=0.06, delays=0.02/0.02/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 24: ssl_ca: Can't open file /etc/letsencrypt/live/xxxxdev.com/fullchain.pem: Permission denied )
And the list of the files where the certificate is
ls -la /etc/letsencrypt/live/xxxxdev.com/ total 12 drwxr-xr-x 2 root root 4096 Jun 11 19:10 . drwx------ 3 root root 4096 Oct 12 2019 .. lrwxrwxrwx 1 root root 39 Jun 11 19:10 cert.pem -> ../../archive/xxxxdev.com/cert25.pem lrwxrwxrwx 1 root root 40 Jun 11 19:10 chain.pem -> ../../archive/xxxxdev.com/chain25.pem lrwxrwxrwx 1 root root 44 Jun 11 19:10 fullchain.pem -> ../../archive/xxxxdev.com/fullchain25.pem lrwxrwxrwx 1 root root 42 Jun 11 19:10 privkey.pem -> ../../archive/xxxxdev.com/privkey25.pem -rw-r--r-- 1 root root 692 Oct 12 2019 README ls -la /etc/letsencrypt/archivexxxxdev.com/ total 464 drwxr-xr-x 2 root root 4096 Jun 11 19:10 . drwx------ 3 root root 4096 Oct 12 2019 .. -rw-r--r-- 1 root root 1866 Jun 11 19:10 cert25.pem -rw-r--r-- 1 root root 3749 Jun 11 19:10 chain25.pem -rw-r--r-- 1 root root 5615 Jun 11 19:10 fullchain25.pem -rw-r--r-- 1 root root 1704 Jun 11 19:10 privkey25.pem
Then the /etc/dovecot/conf.d/10-ssl.conf dovecot config file:
## ## SSL settings ## # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = required # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert = </etc/letsencrypt/live/xxxxdev.com/fullchain.pem ssl_key = </etc/letsencrypt/live/xxxxdev.com/privkey.pem # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) ssl_ca = </etc/letsencrypt/live/xxxxdev.com/fullchain.pem # Require that CRL check succeeds for client certificates. #ssl_require_crl = yes # Directory and/or file for trusted SSL CA certificates. These are used only # when Dovecot needs to act as an SSL client (e.g. imapc backend). The # directory is usually /etc/ssl/certs in Debian-based systems and the file is # /etc/pki/tls/cert.pem in RedHat-based systems. #ssl_client_ca_dir = #ssl_client_ca_file = # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no # Which field from certificate to use for username. commonName and # x500UniqueIdentifier are the usual choices. You'll also need to set # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName # DH parameters length to use. #ssl_dh_parameters_length = 1024 # SSL DH parameters # Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096` # Or migrate from old ssl-parameters.dat file with the command dovecot # gives on startup when ssl_dh is unset. ssl_dh = </etc/dovecot/dh.pem # Minimum SSL protocol version to use. Potentially recognized values are SSLv3, # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used. #ssl_min_protocol = TLSv1 # SSL ciphers to use, the default is: #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # To disable non-EC DH, use: #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # Colon separated list of elliptic curves to use. Empty value (the default) # means use the defaults from the SSL library. P-521:P-384:P-256 would be an # example of a valid value. #ssl_curve_list = # Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = # SSL extra options. Currently supported options are: # no_compression - Disable compression. #ssl_options =
Any idea where to look? Anyone else with this problem?
Thanks in advance for your help