Oliver Riesen-Mallmann
2016-Apr-13 07:40 UTC
Warning: Global setting won't change the setting inside an earlier filter
Hi,
I'm using the Dovecot Prebuilt Binary:
deb http://xi.rename-it.nl/debian/ stable-auto/dovecot-2.2 main
I configured multiple SSL certificates with client TLS SNI (see
http://wiki2.dovecot.org/SSL/DovecotConfiguration).
Since my last update I get some warnings:
doveconf: Warning: /etc/dovecot/conf.d/10-ssl.conf line 12: Global
setting ssl_cert won't change the setting inside an earlier filter at
/etc/dovecot/conf.d/10-ssl-langzeittest.de.conf line 4
doveconf: Warning: /etc/dovecot/conf.d/10-ssl.conf line 13: Global
setting ssl_key won't change the setting inside an earlier filter at
/etc/dovecot/conf.d/10-ssl-langzeittest.de.conf line 5
doveconf: Warning: /etc/dovecot/conf.d/10-ssl.conf line 12: Global
setting ssl_cert won't change the setting inside an earlier filter at
/etc/dovecot/conf.d/10-ssl-langzeittest.de.conf line 4
doveconf: Warning: /etc/dovecot/conf.d/10-ssl.conf line 13: Global
setting ssl_key won't change the setting inside an earlier filter at
/etc/dovecot/conf.d/10-ssl-langzeittest.de.conf line 5
The reason is this commit:
doveconf: Log a warning if a global setting is updated after it was a?
?lready set inside a filter
https://github.com/dovecot/core/commit/87404eae4581d7ef834f490507503e59a500066e
My configuration is (shorted):
# dovecot -n
# 2.2.devel (87404ea): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.devel (215349a)
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.10
[...]
ssl_cert = </etc/letsencrypt/live/v083.violet.fastwebserver.de/fullchain.pem
[...]
ssl_key = </etc/letsencrypt/live/v083.violet.fastwebserver.de/privkey.pem
[...]
local_name imap.langzeittest.de {
ssl_cert </etc/letsencrypt/live/fahrerlager.langzeittest.de/fullchain.pem
ssl_key = </etc/letsencrypt/live/fahrerlager.langzeittest.de/privkey.pem
}
local_name mail.langzeittest.de {
ssl_cert </etc/letsencrypt/live/fahrerlager.langzeittest.de/fullchain.pem
ssl_key = </etc/letsencrypt/live/fahrerlager.langzeittest.de/privkey.pem
}
I understand, that the warning is correct. I configured ssl_cert and
ssl_key both, globally (like a default) and in some local_name filters.
I tried already to move the global configuration of ssl_cert and ssl_key
in an own local_name filter. It didn't work. No login possible:
dovecot: master: Dovecot v2.2.devel (87404ea) starting up for imap (core
dumps disabled)
dovecot: imap-login: Error: SSL: Stacked error: error:0906D06C:PEM
routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
dovecot: imap-login: Fatal: Couldn't parse private ssl_key: Address
family not supported by protocol
How is the correct configuration in this scenario?
Regards
Oliver
Timo Sirainen
2016-Apr-13 10:44 UTC
Warning: Global setting won't change the setting inside an earlier filter
On 13 Apr 2016, at 10:40, Oliver Riesen-Mallmann <oliver at riesen.org> wrote:> > Hi, > > I'm using the Dovecot Prebuilt Binary: > deb http://xi.rename-it.nl/debian/ stable-auto/dovecot-2.2 main > > I configured multiple SSL certificates with client TLS SNI (see > http://wiki2.dovecot.org/SSL/DovecotConfiguration). > > Since my last update I get some warnings: > > doveconf: Warning: /etc/dovecot/conf.d/10-ssl.conf line 12: Global > setting ssl_cert won't change the setting inside an earlier filter at > /etc/dovecot/conf.d/10-ssl-langzeittest.de.conf line 4 > doveconf: Warning: /etc/dovecot/conf.d/10-ssl.conf line 13: Global > setting ssl_key won't change the setting inside an earlier filter at > /etc/dovecot/conf.d/10-ssl-langzeittest.de.conf line 5 > doveconf: Warning: /etc/dovecot/conf.d/10-ssl.conf line 12: Global > setting ssl_cert won't change the setting inside an earlier filter at > /etc/dovecot/conf.d/10-ssl-langzeittest.de.conf line 4 > doveconf: Warning: /etc/dovecot/conf.d/10-ssl.conf line 13: Global > setting ssl_key won't change the setting inside an earlier filter at > /etc/dovecot/conf.d/10-ssl-langzeittest.de.conf line 5 > > The reason is this commit: > doveconf: Log a warning if a global setting is updated after it was a? > ?lready set inside a filter > https://github.com/dovecot/core/commit/87404eae4581d7ef834f490507503e59a500066e > > My configuration is (shorted): > > # dovecot -n > # 2.2.devel (87404ea): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.devel (215349a) > # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.10 > [...] > ssl_cert = </etc/letsencrypt/live/v083.violet.fastwebserver.de/fullchain.pem > [...] > ssl_key = </etc/letsencrypt/live/v083.violet.fastwebserver.de/privkey.pem > [...] > local_name imap.langzeittest.de { > ssl_cert > </etc/letsencrypt/live/fahrerlager.langzeittest.de/fullchain.pem > ssl_key = </etc/letsencrypt/live/fahrerlager.langzeittest.de/privkey.pem > } > local_name mail.langzeittest.de { > ssl_cert > </etc/letsencrypt/live/fahrerlager.langzeittest.de/fullchain.pem > ssl_key = </etc/letsencrypt/live/fahrerlager.langzeittest.de/privkey.pem > } > > I understand, that the warning is correct. I configured ssl_cert and > ssl_key both, globally (like a default) and in some local_name filters.You should be able to solve this by moving the ssl_cert & ssl_key before the local_name {}. Note that doveconf -n reorders the settings here. So right now doveconf reads: local_name { ssl_cert = .. } ssl_cert = .. # it gives a warning here If it's instead: ssl_cert = .. local_name { ssl_cert = .. } There is no warning.
Oliver Riesen-Mallmann
2016-Apr-13 11:11 UTC
Warning: Global setting won't change the setting inside an earlier filter
Hi Timo,> You should be able to solve this by moving the ssl_cert & ssl_key > before the local_name {}.Thanks for the hint. I moved all my separate local_name config files from 10-ssl-* to 11-ssl-* The warnings are gone. Regards Oliver