Dovecot can't open ssl_ca file (permission denied)

Hi there,

I just updated my server from Debian Bullseye to Bookworm and all it's been working well except dovecot complains that can't open the fullchain.pem file (permission denied).

I checked the permissions and all seems to be ok. What's more I have another server with the same configuration still on Debian Bullseye when it's running well without this problem.

I tried to regenerate the letsencrypt certificate, and although it did regenerate it, the issue still persists.

I found someone with the same problem here Dovecot cannot read TLS certificate - Server Fault, but I don't have SELinux installed, only Apparmor. But the settings are the same on both of my servers and I don't think the problem is coming because of Apparmor?

These are errors:

2023-06-11T23:30:02.033356+02:00 xxxxdev postfix/local[14622]: F121D41B4F: to=<xxxx@xxxxdev.com>, orig_to=<xxxx>, relay=local, delay=0.07, delays=0.03/0.01/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 24: ssl_ca: Can't open file /etc/letsencrypt/live/xxxxdev.com/fullchain.pem: Permission denied )
2023-06-11T23:30:02.036054+02:00 xxxxdev postfix/local[14623]: F300641B4D: to=<xxxx@xxxxdev.com>, orig_to=<xxxx>, relay=local, delay=0.06, delays=0.02/0.02/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 24: ssl_ca: Can't open file /etc/letsencrypt/live/xxxxdev.com/fullchain.pem: Permission denied )

And the list of the files where the certificate is

ls -la /etc/letsencrypt/live/xxxxdev.com/
total 12
drwxr-xr-x 2 root root 4096 Jun 11 19:10 .
drwx------ 3 root root 4096 Oct 12  2019 ..
lrwxrwxrwx 1 root root   39 Jun 11 19:10 cert.pem -> ../../archive/xxxxdev.com/cert25.pem
lrwxrwxrwx 1 root root   40 Jun 11 19:10 chain.pem -> ../../archive/xxxxdev.com/chain25.pem
lrwxrwxrwx 1 root root   44 Jun 11 19:10 fullchain.pem -> ../../archive/xxxxdev.com/fullchain25.pem
lrwxrwxrwx 1 root root   42 Jun 11 19:10 privkey.pem -> ../../archive/xxxxdev.com/privkey25.pem
-rw-r--r-- 1 root root  692 Oct 12  2019 README

ls -la /etc/letsencrypt/archivexxxxdev.com/
total 464
drwxr-xr-x 2 root root 4096 Jun 11 19:10 .
drwx------ 3 root root 4096 Oct 12  2019 ..
-rw-r--r-- 1 root root 1866 Jun 11 19:10 cert25.pem
-rw-r--r-- 1 root root 3749 Jun 11 19:10 chain25.pem
-rw-r--r-- 1 root root 5615 Jun 11 19:10 fullchain25.pem
-rw-r--r-- 1 root root 1704 Jun 11 19:10 privkey25.pem

Then the /etc/dovecot/conf.d/10-ssl.conf dovecot config file:

##
## SSL settings
##

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/letsencrypt/live/xxxxdev.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/xxxxdev.com/privkey.pem

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =

# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
ssl_ca = </etc/letsencrypt/live/xxxxdev.com/fullchain.pem

# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes

# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
# directory is usually /etc/ssl/certs in Debian-based systems and the file is
# /etc/pki/tls/cert.pem in RedHat-based systems.
#ssl_client_ca_dir =
#ssl_client_ca_file =

# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no

# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName

# DH parameters length to use.
#ssl_dh_parameters_length = 1024

# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </etc/dovecot/dh.pem

# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
#ssl_min_protocol = TLSv1

# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
# example of a valid value.
#ssl_curve_list =

# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no

# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =

# SSL extra options. Currently supported options are:
#   no_compression - Disable compression.
#ssl_options =

Any idea where to look? Anyone else with this problem?

Thanks in advance for your help

1 Like

Do you actually use client certificate authentication? As that's not very common.

5 Likes

What's your Dovecot version? There was a regression with permissions between Dovecot 2.3.11 and 2.3.17.

It does seem like you can probably just leave an empty value for ssl_ca, though.

8 Likes

Or even better: just comment it out again.

4 Likes

At least look at this:

4 Likes

Hi,

Thank you all for your help. At the end @Osiris was right, I didn't really need the client certificate authentication. I just commented out and the problem went away.

Thanks,

4 Likes

Mine broke on last update I did a few days ago. But, it only updated to Dovecot v 2.3.16 (looks like this was already the core version and a new Ubuntu package was pushed?)

log

Preparing to unpack .../04-dovecot-core_1%3a2.3.16+dfsg1-3ubuntu2.2_amd64.deb ...
Unpacking dovecot-core (1:2.3.16+dfsg1-3ubuntu2.2) over (1:2.3.16+dfsg1-3ubuntu2.1) ...

But, commenting out that line in mine fixed the same "permission denied" issue that appeared since last update:

#ssl_ca = </etc/letsencrypt/live/mycert/chain.pem
ssl_cert = </etc/letsencrypt/live/mycert/fullchain.pem
ssl_key  = </etc/letsencrypt/live/mycert/privkey.pem

Ubuntu info:

 lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.2 LTS
Release:        22.04
Codename:       jammy

@22-7ths [reminds me of Pi ], Can you be more detailed/descriptive [for all future readers]?

2 Likes

done :slight_smile:
Yes not quite Pi, but rather irrational. :wink:

1 Like

My kind of peeps!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.