[solved] LetsEncrypt+Dovecot

My domain is: mail.quantum-equities.com

I ran this command: openssl s_client -connect mail.quantum-equities.com:imaps

It produced this output: socket: Bad file descriptor

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): CentOS 7.4

I can login to a root shell on my machine: yes

Something is messed up with Dovecot ( and certs. In /etc/dovecot/conf.d/01-vmail.conf I have:

ssl_cert = </etc/letsencrypt/live/quantum-equities.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/quantum-equities.com/privkey.pem
local_name mail.delphi-real-estate.com {
        ssl_cert = </etc/letsencrypt/live/delphi-real-estate.com/fullchain.pem
        ssl_key = </etc/letsencrypt/live/delphi-real-estate.com/privkey.pem

But in /var/log/maillog I get:
dovecot: imap-login: Fatal: Can’t load private ssl_key: Key is for a different cert than ssl_cert

No doubt probably one or more of my certs is messed up, but which one? It doesn’t say.

And then what to do about it?

Whups, the problem was one of my virtual mail domains had
ssl_cert = </etc/letsencrypt/live/{domain}/chain.pem
… instead of fullchain, and for some reason that was flunking. :j


I have a whole guide for Dovecot, Postfix which may come in handy https://ubuntu101.co.za/ssl/postfix-and-dovecot-on-ubuntu-with-a-lets-encrypt-ssl-certificate/

Thanks Mitchell. It is quite a job though to translate line-by-line to RHEL.

For some reason one of my domains is flunking the SMTP DANE test:

… and another even flunks TLSA:

How can this be? I used the same TLSA procedure as I did with quantum-equities, which passes. The former two are virtual SMTP hosts and the latter is the primary.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.