[solved] LetsEncrypt+Dovecot

Help
1

My domain is: mail.quantum-equities.com

I ran this command: openssl s_client -connect mail.quantum-equities.com:imaps

It produced this output: socket: Bad file descriptor
connect:errno=9

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): CentOS 7.4

I can login to a root shell on my machine: yes

Something is messed up with Dovecot (2.2.33.2) and certs. In /etc/dovecot/conf.d/01-vmail.conf I have:

ssl_cert = </etc/letsencrypt/live/quantum-equities.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/quantum-equities.com/privkey.pem
local_name mail.delphi-real-estate.com {
        ssl_cert = </etc/letsencrypt/live/delphi-real-estate.com/fullchain.pem
        ssl_key = </etc/letsencrypt/live/delphi-real-estate.com/privkey.pem
}

But in /var/log/maillog I get:
dovecot: imap-login: Fatal: Can’t load private ssl_key: Key is for a different cert than ssl_cert

No doubt probably one or more of my certs is messed up, but which one? It doesn’t say.

And then what to do about it?

2

Whups, the problem was one of my virtual mail domains had
ssl_cert = </etc/letsencrypt/live/{domain}/chain.pem
… instead of fullchain, and for some reason that was flunking. :j

2 Likes
3

I have a whole guide for Dovecot, Postfix which may come in handy https://ubuntu101.co.za/ssl/postfix-and-dovecot-on-ubuntu-with-a-lets-encrypt-ssl-certificate/

4

Thanks Mitchell. It is quite a job though to translate line-by-line to RHEL.

For some reason one of my domains is flunking the SMTP DANE test:
https://dane.sys4.de/smtp/mail.delphi-real-estate.com

… and another even flunks TLSA:
https://dane.sys4.de/smtp/mail.quantum-sci.com

How can this be? I used the same TLSA procedure as I did with quantum-equities, which passes. The former two are virtual SMTP hosts and the latter is the primary.

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.