dravion.smith at gmx.net
2015-Aug-14 11:22 UTC
Multidomain / IP Address Setup (Dovevot 2.2.10 on CentOS7 ) is failing: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM
Hi, I want to say hello and here is my big problem ;D Iam trying to archive a Postfix/Dovecot 2.2.10 CentOS7 Multidomain Setup with multiple (valid StartSSL Certs), but iam only able to run a single Domain Cert server only. ps: I need a multiple domainssetup for every customer and it is not an option for me redirecting any email to a single domain server. I really need this setup working. IMHO: I think it SELinux could interfere with multiple Certs in diffrent folders (it is activated in CentOs7 by default and is needed by other apps) Ok, here is my logfile data: systemctl start postfix.service [OK] systemctl start dovecot.service [OK] /var/log/messages *systemd: Stopping Dovecot IMAP/POP3 email server... *systemd: Starting Dovecot IMAP/POP3 email server... *systemd: Started Dovecot IMAP/POP3 email server. /var/log/maillog *dovecot: master: Dovecot v2.2.10 starting up for imap, pop3, lmtp (core dumps disabled) ### This works (Thunderbird, Outlook 2013, Opera Mail ect.) #### local mydomain01.tld { protocol imap { ssl_cert = </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.crt.pem ssl_key = </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.key.pem } } ### this 10-ssl.conf ### --- FAILS (the error occurs after an email client accesses IMAP Folders) local mydomain01.tld { protocol imap { ssl_cert = </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.crt.pem ssl_key = </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.key.pem } } local mydomain02.tld { protocol imap { ssl_cert = </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.crt.pem ssl_key = </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.key.pem } } /var/log/mailog ### Error log ### Aug 14 12:50:38 matrix dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Aug 14 12:50:38 matrix dovecot: master: Error: service(imap-login): command startup failed, throttling for 60 secs I really dont know why a single domain is no problem but if i enable multiple domains dovecots start with any error, even if i set debug verbose leven to extrem high but if i access dovecot with Thunderbird my server loggile explodes with something like this Couldn't parse private ssl_key: error:0906D06C:PEM but the certs are 100% valid and checked over and over again. Any help is greatly appreciated! Greetings, Dravion
Alexander Dalloz
2015-Aug-14 17:57 UTC
Multidomain / IP Address Setup (Dovevot 2.2.10 on CentOS7 ) is failing: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM
Am 14.08.2015 um 13:22 schrieb dravion.smith at gmx.net:> Hi, > I want to say hello and here is my big problem ;D > > Iam trying to archive a Postfix/Dovecot 2.2.10 CentOS7 Multidomain Setup > with multiple (valid > StartSSL Certs), but iam only able to run a single Domain Cert server only. > > ps: I need a multiple domainssetup for every customer and it is not an > option for me redirecting any email > to a single domain server. I really need this setup working. > > IMHO: I think it SELinux could interfere with multiple Certs in diffrent > folders (it is activated in CentOs7 by > default and is needed by other apps)What have you done to exclude that SELinux interferes? Run "ausearch -m avc" to check for AVCs.> Ok, here is my logfile data: > > systemctl start postfix.service [OK] > systemctl start dovecot.service [OK] > > /var/log/messages > *systemd: Stopping Dovecot IMAP/POP3 email server... > *systemd: Starting Dovecot IMAP/POP3 email server... > *systemd: Started Dovecot IMAP/POP3 email server. > > /var/log/maillog > *dovecot: master: Dovecot v2.2.10 starting up for imap, pop3, lmtp (core > dumps disabled) > > ### This works (Thunderbird, Outlook 2013, Opera Mail ect.) #### > > local mydomain01.tld { > > protocol imap { > ssl_cert > </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.crt.pem > ssl_key > </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.key.pem > } > > }You are leaving the terrain of your distribution. That's not the intended path. /etc/pki/tls/{certs,private}/ is.> ### this 10-ssl.conf ### --- FAILS (the error occurs after an email > client accesses IMAP Folders) > local mydomain01.tld { > > protocol imap { > ssl_cert > </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.crt.pem > ssl_key > </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.key.pem > } > > } > > local mydomain02.tld { > > protocol imap { > ssl_cert > </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.crt.pem > ssl_key > </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.key.pem > } > > }See above. Why 2 times the same certificate pair files? Make sure the permissions (and not only of the files itself) and the SELinux context is set properly. You gave zero information about that.> /var/log/mailog ### Error log ### > Aug 14 12:50:38 matrix dovecot: imap-login: Fatal: Couldn't parse > private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: > Aug 14 12:50:38 matrix dovecot: master: Error: service(imap-login): > command startup failed, throttling for 60 secsThe key file contains "-----BEGIN PRIVATE KEY-----" as first line and "-----END PRIVATE KEY-----" as last line?> I really dont know why a single domain is no problem but if i enable > multiple domains dovecots > start with any error, even if i set debug verbose leven to extrem high > but if i access dovecot with > Thunderbird my server loggile explodes with something like this Couldn't > parse private ssl_key: error:0906D06C:PEM but the certs are 100% valid > and checked over and over again. > > Any help is greatly appreciated! > > Greetings, > DravionAlexander
dravion.smith at gmx.net
2015-Aug-15 01:22 UTC
Multidomain / IP Address Setup (Dovevot 2.2.10 on CentOS7 ) is failing: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM
Hello Alex Am 14.08.2015 um 19:57 schrieb Alexander Dalloz:> What have you done to exclude that SELinux interferes? >Just some sysinfo: CentOS Linux release 7.1.1503 (Core) (i run yum update every day) sestatus: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28> > Run "ausearch -m avc" to check for AVCs.There is no indication SELinux is blocking somewhat grep "SELinux is preventing" /var/log/messages grep "denied" /var/log/audit/audit.log ausearch -m avc shows no deniead messages> >> ### This works (Thunderbird, Outlook 2013, Opera Mail ect.) #### >> >> local mydomain01.tld { >> >> protocol imap { >> ssl_cert >> </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.crt.pem >> ssl_key >> </etc/ssl/domains/mydomain.tld/imap/imap.mydomain02.tld.key.pem >> } >> >> } >>Sorry the above has some typo errors, forget it. Ok, this works well: Configfile: /etc/dovecot/conf.d/10-ssl.conf protocol imap { ssl_cert = </etc/ssl/domains/mydomain01.tld/imap/imap.mydomain01.tld.crt.pem ssl_key = </etc/ssl/domains/mydomain01.tld/imap/imap.mydomain01.tld.key.pem } if i change it to protocol imap { ssl_cert = </etc/ssl/domains/mydomain02.tld/imap/imap.mydomain02.tld.crt.pem ssl_key = </etc/ssl/domains/mydomain02.tld/imap/imap.mydomain02.tld.key.pem } This works well to (i can connect from a Windows box, with Mozilla Thunderbird, Microsoft Outlook 2013 an IMAP Folders are showing, EMail sending and receiving is working and the logs are show no error. #### BUT #### If i try something like this in /etc/dovecot/conf.d/10-ssl.conf local imap.mydomain01.tld { protocol imap { ssl_cert = </etc/ssl/domains/mydomain01.tld/imap/imap.mydomain01.tld.crt.pem ssl_key = </etc/ssl/domains/mydomain01.tld/imap/imap.mydomain01.tld.key.pem } } local imap.mydomain01.tld { protocol imap { ssl_cert = </etc/ssl/domains/mydomain02.tld/imap/imap.mydomain02.tld.crt.pem ssl_key = </etc/ssl/domains/mydomain02.tld/imap/imap.mydomain02.tld.key.pem } } It throws errors like this "imap-login "parse private ssl_key: error:0906D06C:PEM" in the logfile /var/maillog The certs are accepted each in single domainmode but failing in multidomain mode. I have checked if local_name works (SNI) with the fully DNS Domainname or just the IP-Address but this doesnt show any effects. Multidomainmode of Dovecot is Notes: The certs are StartSSL Domain validated free certs, pointing to imap.mydomain01.tld and imap.mydomain02.tld In single Domain mod like explained abow any of the two certificate is accepted and Thunderbird and Outlook accepting the certs as StartSSL without any warning or error message. ps: imap.mydomain01.tld.key begins with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY----- imap.mydomain02.tld.key begins with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY----- ps2: There was a hint on some website thadt dovecot needs the certs in a single *.pem file because the implementation of SNI and related code "was poorly implemented". Thanks , Drav
Possibly Parallel Threads
- Multidomain / IP Address Setup (Dovevot 2.2.10 on CentOS7 ) is failing: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM
- Multidomain / IP Address Setup (Dovevot 2.2.10 on CentOS7 ) is failing: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM
- Multidomain / IP Address Setup (Dovevot 2.2.10 on CentOS7 ) is failing: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM
- Multidomain / IP Address Setup (Dovevot 2.2.10 on CentOS7 ) is failing: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM
- Multidomain / IP Address Setup (Dovevot 2.2.10 on CentOS7 ) is failing: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM