LE certificate not working on my cyrus imap

Please fill out the fields below so we can help you better.

My domain is: mail.gelpi.it

I ran this command: certbot-auto certonly --webroot because certbot-auto --apache says it cannot connect to port 443

My web server is (include version): apache 2.2.22

The operating system my web server runs on is (include version): Debian 7

I can login to a root shell on my machine (yes or no, or I don’t know): yes

On my web the certificate is well working but in cyrus imap log I get:
Aug 16 13:53:28 mail imaps[17133]: Fatal error: tls_init() failed
Aug 16 13:53:28 mail imaps[17134]: TLS server engine: cannot load CA data
Aug 16 13:53:28 mail imaps[17134]: unable to get certificate from '/etc/letsencrypt/live/mail.gelpi.it/cert.pem’
Aug 16 13:53:28 mail imaps[17134]: TLS server engine: cannot load cert/key data
Aug 16 13:53:28 mail imaps[17134]: error initializing TLS
Aug 16 13:53:28 mail imaps[17134]: Fatal error: tls_init() failed

I have just tried all the possible combination of cert, chain, private key in separate file, in one file changing the order as stated in some messages here, but noway. It doesn’t work.

My actual certificate include the intermediate CA and work like a charm.
I also compare the two certificates and the only differences are in certificate policies.
I search here but I cant figure out a solution.

Any ideas?

Thank You in advance.


1 Like

Solution found.
The problem was due to the fact that cyrus imap in my installation need to reach private key and check the file permission on it not as root but as mail user.
The solution was to change permissions to: /etc/letsencrypt/Archive and /etc/letsencrytpt/live
and change group to private key in archive directory to ssl-cert
The file permissions must be 640 or -rw-r-----

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.