HotSlots Webmaster <webmaster at hotslots132.com> writes:> I have had Dovecot working fine with SSL for nearly two years now. It's > time to renew the SSL certificate, so I did (same CA). The new > certificate works fine in Apache and Postfix. But when I update Dovecot > to use the same certificate, and restart the server, Dovecot stops > responding to connects. > ... > Here is the end of the dovecot -n file that mentions SSL: > ... > ssl_dh_parameters_length = 2048When you start dovecot, does CPU load of dovecot/ssl-params roof to 100%? It's possible it's generating ephemeral DH keys. In a previous post to this list, I note that the run time to generate these keys can vary wildly, and gets worse with longer keys. Sometimes you get lucky, and you'll generate then quickly, sometimes it takes a long while (minutes). http://dovecot.org/pipermail/dovecot/2015-November/102447.html Try running openssl dhparam -noout 2048 to see how it varies for you. If what I suspect is true, you can try using shorter keys. A followup post suggest a way you can precompute the key Joseph Tam <jtam.home at gmail.com>
aki.tuomi at dovecot.fi
2016-Mar-06 09:14 UTC
Dovecot stops responding when I update SSL certificate
> On March 6, 2016 at 4:45 AM Joseph Tam <jtam.home at gmail.com> wrote: > > > HotSlots Webmaster <webmaster at hotslots132.com> writes: > > > I have had Dovecot working fine with SSL for nearly two years now. It's > > time to renew the SSL certificate, so I did (same CA). The new > > certificate works fine in Apache and Postfix. But when I update Dovecot > > to use the same certificate, and restart the server, Dovecot stops > > responding to connects. > > ... > > Here is the end of the dovecot -n file that mentions SSL: > > ... > > ssl_dh_parameters_length = 2048 > > When you start dovecot, does CPU load of dovecot/ssl-params roof to 100%? > It's possible it's generating ephemeral DH keys. In a previous post > to this list, I note that the run time to generate these keys can vary > wildly, and gets worse with longer keys. Sometimes you get lucky, and > you'll generate then quickly, sometimes it takes a long while (minutes). > > http://dovecot.org/pipermail/dovecot/2015-November/102447.html > > Try running > > openssl dhparam -noout 2048 > > to see how it varies for you. If what I suspect is true, you can try > using shorter keys. A followup post suggest a way you can precompute > the key > > Joseph Tam <jtam.home at gmail.com>We are going to provide ssl_dh parameter in v2.3 which replaces the current ssl parameters daemon with simple PEM encoded file that you provide. --- Aki Tuomi Dovecot Oy
aki.tuomi:> We are going to provide ssl_dh parameter in v2.3 which replaces the > current ssl parameters daemon with simple PEM encoded file that you > provide.good thing. that simplify the process of dh regeneration to a method admins are more familiar with.> > --- > Aki Tuomi > Dovecot Oy