Using Letsencrypt with dovecot

captcurrent · April 19, 2024, 3:31pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kasdivi.com

I ran this command:
I start doveot
It produced this output:
Apr 19 11:04:09 triggerfish dovecot[91350]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=200.6.151.76, lip=209.160.65.133, session=<pclhZnQW9+rIBpdM>
Apr 19 11:04:11 triggerfish dovecot[91350]: auth: Fatal: No passdbs specified in configuration file. PLAIN mechanism needs one
Apr 19 11:04:11 triggerfish dovecot[91348]: master: Error: service(auth): command startup failed, throttling for 4.000 secs
Apr 19 11:04:11 triggerfish dovecot[91350]: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 2 secs): user=<>, rip=200.6.151.76, lip=209.160.64.187, session=<k/F9ZnQW+urIBpdM>
Apr 19 11:04:11 triggerfish dovecot[91350]: imap-login: Disconnected: Auth process broken (disconnected before auth was rea
My web server is (include version):
apach24

The operating system my web server runs on is (include version):
Freebsd 13.2
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.7.4

bruncsak · April 19, 2024, 3:53pm

What is the output of the
certbot certificates
command?

Osiris · April 19, 2024, 5:12pm

And also, what's the value of the ssl_cert directive in your Dovecot configuration?

captcurrent · April 19, 2024, 5:32pm

Found the following certs:
Certificate Name: kasdivi.com
Serial Number: 44ac015559e6579f454c7980e0aa82237a9
Key Type: ECDSA
Domains: kasdivi.com
Expiry Date: 2024-07-17 22:01:07+00:00 (VALID: 89 days)
Certificate Path: /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/kasdivi.com/privkey.pem

captcurrent · April 19, 2024, 5:34pm

ssl_cert = </usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem

Osiris · April 19, 2024, 5:56pm

And you're starting Dovecot as root?

captcurrent · April 19, 2024, 6:11pm

I would say yes

ps -aux gives me this

root 99145 0.0 0.0 14632 4512 - Is 13:17 0:00.06 /usr/local/sbin/dovecot -c /usr/local/etc/dovecot/dovecot.conf
dovecot 99146 0.0 0.0 14560 4168 - I 13:17 0:00.01 dovecot/anvil
root 99147 0.0 0.0 14564 4280 - I 13:17 0:00.02 dovecot/log
root 99148 0.0 0.0 15004 5096 - I 13:17 0:00.04 dovecot/config
dovecot 99396 0.0 0.0 14840 4412 - I 13:18 0:00.02 dovecot/stats

Osiris · April 19, 2024, 6:13pm

Hm, weird. Can you check the fullchain file as root?

ls -l /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem

captcurrent · April 19, 2024, 6:19pm

lrwxr-xr-x 1 root www 40 Apr 18 19:01 /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem -> ../../archive/kasdivi.com/fullchain1.pem

Osiris · April 19, 2024, 6:20pm

And ls -l /usr/local/etc/letsencrypt/archive/kasdivi.com/fullchain1.pem ?

captcurrent · April 19, 2024, 7:07pm

rw-r--r-- 1 root www 3306 Apr 18 19:01 /usr/local/etc/letsencrypt/archive/kasdivi.com/fullchain1.pem

Osiris · April 19, 2024, 7:10pm

Weird, I don't know why Dovecot is complaining

captcurrent · April 19, 2024, 7:14pm

oh well

petercooperjr · April 19, 2024, 7:17pm

Maybe there are multiple ssl_cert across multiple files? Can you post doveconf -n output here? (Put three backticks ``` on a line before and after pasting it to use code formatting)

rg305 · April 19, 2024, 11:38pm

Can Dovecot handle this type of cert?:

[just wild guessing]

petercooperjr · April 20, 2024, 12:28am

Yes, Dovecot handles ECDSA just fine (I use it myself).

captcurrent · April 20, 2024, 1:28am

# Pigeonhole version 0.5.21 (f6cd4b8e)
# OS: FreeBSD 13.2-RELEASE-p4 amd64  
# Hostname: triggerfish.theoceanwindow.com
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
protocols = imap pop3 lmtp sieve

captcurrent · April 20, 2024, 1:51am

ok th appears to be self inflicted. I was trying to deal with the issue bt changing the symbolic lines with Links to the actual certificate; When I do certbot -certificate I now get

Renewal configuration file /usr/local/etc/letsencrypt/renewal/kasdivi.com.conf produced an unexpected error: expected /usr/local/etc/letsencrypt/live/kasdivi.com/cert.pem to be a symlink. Skipping.

Renewal configuration file /usr/local/etc/letsencrypt/renewal/kasdivi.com.conf produced an unexpected error: expected /usr/local/etc/letsencrypt/live/kasdivi.com/cert.pem to be a symlink. Skipping.

the certificate is specified as

ssl_ca = </usr/local/etc/letsencrypt/live/kasdivi.com/fullchain1.pem

I guess I have to eradicate all traces and start again

I hate upgrades

rg305 · April 20, 2024, 2:05am

If only once, you could just "certbot delete --cert-name XYZ" that cert and obtain another.
Note: Don't mess with anything within the /etc/letsencrypt/ folders directly - use certbot to do whatever you need it to do.

captcurrent · April 20, 2024, 3:34am

to late. I have benign live and archive