Dovecot can't open ssl_ca file (permission denied)

Hi there,

I just updated my server from Debian Bullseye to Bookworm and all it's been working well except dovecot complains that can't open the fullchain.pem file (permission denied).

I checked the permissions and all seems to be ok. What's more I have another server with the same configuration still on Debian Bullseye when it's running well without this problem.

I tried to regenerate the letsencrypt certificate, and although it did regenerate it, the issue still persists.

I found someone with the same problem here Dovecot cannot read TLS certificate - Server Fault, but I don't have SELinux installed, only Apparmor. But the settings are the same on both of my servers and I don't think the problem is coming because of Apparmor?

These are errors:

2023-06-11T23:30:02.033356+02:00 xxxxdev postfix/local[14622]: F121D41B4F: to=<xxxx@xxxxdev.com>, orig_to=<xxxx>, relay=local, delay=0.07, delays=0.03/0.01/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 24: ssl_ca: Can't open file /etc/letsencrypt/live/xxxxdev.com/fullchain.pem: Permission denied )
2023-06-11T23:30:02.036054+02:00 xxxxdev postfix/local[14623]: F300641B4D: to=<xxxx@xxxxdev.com>, orig_to=<xxxx>, relay=local, delay=0.06, delays=0.02/0.02/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 24: ssl_ca: Can't open file /etc/letsencrypt/live/xxxxdev.com/fullchain.pem: Permission denied )

And the list of the files where the certificate is

ls -la /etc/letsencrypt/live/xxxxdev.com/
total 12
drwxr-xr-x 2 root root 4096 Jun 11 19:10 .
drwx------ 3 root root 4096 Oct 12  2019 ..
lrwxrwxrwx 1 root root   39 Jun 11 19:10 cert.pem -> ../../archive/xxxxdev.com/cert25.pem
lrwxrwxrwx 1 root root   40 Jun 11 19:10 chain.pem -> ../../archive/xxxxdev.com/chain25.pem
lrwxrwxrwx 1 root root   44 Jun 11 19:10 fullchain.pem -> ../../archive/xxxxdev.com/fullchain25.pem
lrwxrwxrwx 1 root root   42 Jun 11 19:10 privkey.pem -> ../../archive/xxxxdev.com/privkey25.pem
-rw-r--r-- 1 root root  692 Oct 12  2019 README

ls -la /etc/letsencrypt/archivexxxxdev.com/
total 464
drwxr-xr-x 2 root root 4096 Jun 11 19:10 .
drwx------ 3 root root 4096 Oct 12  2019 ..
-rw-r--r-- 1 root root 1866 Jun 11 19:10 cert25.pem
-rw-r--r-- 1 root root 3749 Jun 11 19:10 chain25.pem
-rw-r--r-- 1 root root 5615 Jun 11 19:10 fullchain25.pem
-rw-r--r-- 1 root root 1704 Jun 11 19:10 privkey25.pem

Then the /etc/dovecot/conf.d/10-ssl.conf dovecot config file:

##
## SSL settings
##

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/letsencrypt/live/xxxxdev.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/xxxxdev.com/privkey.pem

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =

# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
ssl_ca = </etc/letsencrypt/live/xxxxdev.com/fullchain.pem

# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes

# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
# directory is usually /etc/ssl/certs in Debian-based systems and the file is
# /etc/pki/tls/cert.pem in RedHat-based systems.
#ssl_client_ca_dir =
#ssl_client_ca_file =

# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no

# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName

# DH parameters length to use.
#ssl_dh_parameters_length = 1024

# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </etc/dovecot/dh.pem

# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
#ssl_min_protocol = TLSv1

# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
# example of a valid value.
#ssl_curve_list =

# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no

# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =

# SSL extra options. Currently supported options are:
#   no_compression - Disable compression.
#ssl_options =

Any idea where to look? Anyone else with this problem?

Thanks in advance for your help

Do you actually use client certificate authentication? As that's not very common.

What's your Dovecot version? There was a regression with permissions between Dovecot 2.3.11 and 2.3.17.

It does seem like you can probably just leave an empty value for ssl_ca, though.

Or even better: just comment it out again.

At least look at this:

Hi,

Thank you all for your help. At the end @Osiris was right, I didn't really need the client certificate authentication. I just commented out and the problem went away.

Thanks,

Mine broke on last update I did a few days ago. But, it only updated to Dovecot v 2.3.16 (looks like this was already the core version and a new Ubuntu package was pushed?)

log

Preparing to unpack .../04-dovecot-core_1%3a2.3.16+dfsg1-3ubuntu2.2_amd64.deb ...
Unpacking dovecot-core (1:2.3.16+dfsg1-3ubuntu2.2) over (1:2.3.16+dfsg1-3ubuntu2.1) ...

But, commenting out that line in mine fixed the same "permission denied" issue that appeared since last update:

#ssl_ca = </etc/letsencrypt/live/mycert/chain.pem
ssl_cert = </etc/letsencrypt/live/mycert/fullchain.pem
ssl_key  = </etc/letsencrypt/live/mycert/privkey.pem

Ubuntu info:

 lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.2 LTS
Release:        22.04
Codename:       jammy

@22-7ths [reminds me of Pi ], Can you be more detailed/descriptive [for all future readers]?

done :slight_smile:
Yes not quite Pi, but rather irrational. :wink:

My kind of peeps!