Hi there,
I just updated my server from Debian Bullseye to Bookworm and all it's been working well except dovecot complains that can't open the fullchain.pem file (permission denied).
I checked the permissions and all seems to be ok. What's more I have another server with the same configuration still on Debian Bullseye when it's running well without this problem.
I tried to regenerate the letsencrypt certificate, and although it did regenerate it, the issue still persists.
I found someone with the same problem here Dovecot cannot read TLS certificate - Server Fault, but I don't have SELinux installed, only Apparmor. But the settings are the same on both of my servers and I don't think the problem is coming because of Apparmor?
These are errors:
2023-06-11T23:30:02.033356+02:00 xxxxdev postfix/local[14622]: F121D41B4F: to=<xxxx@xxxxdev.com>, orig_to=<xxxx>, relay=local, delay=0.07, delays=0.03/0.01/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 24: ssl_ca: Can't open file /etc/letsencrypt/live/xxxxdev.com/fullchain.pem: Permission denied )
2023-06-11T23:30:02.036054+02:00 xxxxdev postfix/local[14623]: F300641B4D: to=<xxxx@xxxxdev.com>, orig_to=<xxxx>, relay=local, delay=0.06, delays=0.02/0.02/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 24: ssl_ca: Can't open file /etc/letsencrypt/live/xxxxdev.com/fullchain.pem: Permission denied )
And the list of the files where the certificate is
ls -la /etc/letsencrypt/live/xxxxdev.com/
total 12
drwxr-xr-x 2 root root 4096 Jun 11 19:10 .
drwx------ 3 root root 4096 Oct 12 2019 ..
lrwxrwxrwx 1 root root 39 Jun 11 19:10 cert.pem -> ../../archive/xxxxdev.com/cert25.pem
lrwxrwxrwx 1 root root 40 Jun 11 19:10 chain.pem -> ../../archive/xxxxdev.com/chain25.pem
lrwxrwxrwx 1 root root 44 Jun 11 19:10 fullchain.pem -> ../../archive/xxxxdev.com/fullchain25.pem
lrwxrwxrwx 1 root root 42 Jun 11 19:10 privkey.pem -> ../../archive/xxxxdev.com/privkey25.pem
-rw-r--r-- 1 root root 692 Oct 12 2019 README
ls -la /etc/letsencrypt/archivexxxxdev.com/
total 464
drwxr-xr-x 2 root root 4096 Jun 11 19:10 .
drwx------ 3 root root 4096 Oct 12 2019 ..
-rw-r--r-- 1 root root 1866 Jun 11 19:10 cert25.pem
-rw-r--r-- 1 root root 3749 Jun 11 19:10 chain25.pem
-rw-r--r-- 1 root root 5615 Jun 11 19:10 fullchain25.pem
-rw-r--r-- 1 root root 1704 Jun 11 19:10 privkey25.pem
Then the /etc/dovecot/conf.d/10-ssl.conf dovecot config file:
##
## SSL settings
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/letsencrypt/live/xxxxdev.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/xxxxdev.com/privkey.pem
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
ssl_ca = </etc/letsencrypt/live/xxxxdev.com/fullchain.pem
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
# directory is usually /etc/ssl/certs in Debian-based systems and the file is
# /etc/pki/tls/cert.pem in RedHat-based systems.
#ssl_client_ca_dir =
#ssl_client_ca_file =
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# DH parameters length to use.
#ssl_dh_parameters_length = 1024
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </etc/dovecot/dh.pem
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
#ssl_min_protocol = TLSv1
# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
# example of a valid value.
#ssl_curve_list =
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
# SSL extra options. Currently supported options are:
# no_compression - Disable compression.
#ssl_options =
Any idea where to look? Anyone else with this problem?
Thanks in advance for your help
