Wolfgang Gross
2015-Feb-16 09:09 UTC
/etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
Hi, this is not a genuine Dovecot bug, more a nuisance. It applies to OpenSuse 13.2 but maybe also to other Linux's. The standard installation of Dovecot (especially 10-ssl.conf) places the certificate dovecot.pem in /etc/ssl/certs. Sometimes during updates does OpenSuse renew all certificates in /etc/ssl/certs and erases dovecot.pem. This blocks further access to the mailbox. I found a similar report here: https://bbs.archlinux.de/viewtopic.php?id=27288 Workaround: Move dovecot.pem to another directory and change 10-ssl.conf accordingly. Regards Wolfgang Gross -- Dr. W. Gross Sektion Chirurgische Forschung Klinik f?r Allgemein-, Viszeral- und Transplantationschirurgie Universit?tsklinikum Heidelberg Im Neuenheimer Feld 365, D-69120 Heidelberg, Germany Tel. ++49 (0)6221/566392, Fax: ++49 (0)6221/566402 WGross at uni-hd.de
Nick Edwards
2015-Feb-16 11:59 UTC
/etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
This directory in later times is where more and more distros are putting system wide server CA type certs, most distros are moving to this path, so the package maintainer should fix their script, maybe to /etc/ssl/private or such. On 2/16/15, Wolfgang Gross <WGross at uni-hd.de> wrote:> Hi, > > this is not a genuine Dovecot bug, more a nuisance. > It applies to OpenSuse 13.2 but maybe also to other Linux's. > > The standard installation of Dovecot (especially 10-ssl.conf) places the > certificate dovecot.pem in /etc/ssl/certs. > Sometimes during updates does OpenSuse renew all certificates in > /etc/ssl/certs > and erases dovecot.pem. This blocks further access to the mailbox. > > I found a similar report here: > https://bbs.archlinux.de/viewtopic.php?id=27288 > > Workaround: Move dovecot.pem to another directory and change 10-ssl.conf > accordingly. > > Regards > > Wolfgang Gross > > -- > Dr. W. Gross > Sektion Chirurgische Forschung > Klinik f?r Allgemein-, Viszeral- und Transplantationschirurgie > Universit?tsklinikum Heidelberg > Im Neuenheimer Feld 365, D-69120 Heidelberg, Germany > Tel. ++49 (0)6221/566392, Fax: ++49 (0)6221/566402 > WGross at uni-hd.de >
Wolfgang Gross
2015-Feb-16 14:42 UTC
/etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
On 16 Feb 2015 at 21:59, Nick Edwards wrote:> This directory in later times is where more and more distros are > putting system wide server CA type certs, most distros are moving to > this path, so the package maintainer should fix their script, maybe to > /etc/ssl/private or such.Maybe not in /etc/ssl/private for security reasons? 10-ssl.conf uses the same file name for certificate and private key; better change this, too.> > On 2/16/15, Wolfgang Gross <WGross at uni-hd.de> wrote: > > Hi, > > > > this is not a genuine Dovecot bug, more a nuisance. > > It applies to OpenSuse 13.2 but maybe also to other Linux's. > > > > The standard installation of Dovecot (especially 10-ssl.conf) places the > > certificate dovecot.pem in /etc/ssl/certs. > > Sometimes during updates does OpenSuse renew all certificates in > > /etc/ssl/certs > > and erases dovecot.pem. This blocks further access to the mailbox. > > > > I found a similar report here: > > https://bbs.archlinux.de/viewtopic.php?id=27288 > >
Marcus Rückert
2015-May-27 14:14 UTC
/etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
On Mon, 16 Feb 2015 10:09:16 +0100 "Wolfgang Gross" <WGross at uni-hd.de> wrote:> Hi, > > this is not a genuine Dovecot bug, more a nuisance. > It applies to OpenSuse 13.2 but maybe also to other Linux's. > > The standard installation of Dovecot (especially 10-ssl.conf) places > the certificate dovecot.pem in /etc/ssl/certs. > Sometimes during updates does OpenSuse renew all certificates > in /etc/ssl/certs and erases dovecot.pem. This blocks further access > to the mailbox. > > I found a similar report here: > https://bbs.archlinux.de/viewtopic.php?id=27288 > > Workaround: Move dovecot.pem to another directory and change > 10-ssl.conf accordingly.This is *not* our update mechanism. This is update-ca-certificates, which will wipe /etc/ssl/certs/ when it is called. This can happen to you on any distro using it. My recommendation is to use /etc/ssl/private/ for all service related files. Certs and keys. HTH darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
Possibly Parallel Threads
- /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
- /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
- /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
- /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
- /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism