dovecot - Jan 2009 - New SSL certificate problem

Our DC has been using a Verisign certificate.  Over the past year, we've 
been using a Digicert Wildcard Plus certificate for almost all of our 
machines, and I wanted to switched over our DC mailserver.

I used the following command to generate the CSR and key:

openssl req -new -newkey rsa:1024 -nodes -out star_bard_edu.csr -keyout
star_bard_edu.key -subj "/C=US/ST=NY/L=ourtown/O=Bard College IT/OU=Bard
College /CN=*.bard.edu"

The resultant CSR verified and I submitted it to digicert and got back our cert,
plus their intermediate and Trusted root certs.
I killed the root instance of dovecot and waited for all the children to die
I put together the intermediate cert (first) and our cert (second) into
/usr/ssl/certs/dovecot.pem
I put the key star_bard_edu.key in /var/ssl/private/dovecot.pem

I restarted dovecot, but the imap login instances didn't appear, so I 
shifted back to the original combined cert file and key, restarted 
dovecot and it came up OK

I check the syslog and saw these error messages:

Jan  5 10:19:49 mercury mail:err|error dovecot: imap-login: Can't load
private k
ey file /var/ssl/private/dovecot.pem: error:0B080074:x509 certificate routines:X
509_check_private_key:key values mismatch
Jan  5 10:19:49 mercury mail:err|error last message repeated 8 times
Jan  5 10:19:49 mercury mail:err|error dovecot: child 4051108 (login) returned e
rror 89
Jan  5 10:19:49 mercury mail:err|error dovecot: child 4231382 (login) returned e
rror 89

I checked my key and it has the same time stamp as my CSR, so I didn't 
somehow get the wrong key.  Both the old and new key are 600; if the old 
one works based on perms, the new one should too.

Would some kind soul tell me what I'm missing?  Or is there a problem 
using wild card certificate with DC?  Is there an openssl command to 
verify the key.  Or is it that the key is unencrypted?

-- 
==== Once upon a time, the Internet was a friendly, 
neighbors-helping-neighbors small town, and no one locked their doors. 
Now it's like an apartment in Bed-Stuy: you need three heavy duty 
pick-proof locks, one of those braces that goes from the lock to the 
floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin, 
Bard College, New York 12504 sdean at bard.edu voice: 845-758-7475, fax: 
845-758-7035

Although I was told by Digicert that the order of chained certs in 
/var/ssl/certs/dovecot.pem should make no difference, after I put our 
public cert first, followed by Digicert's intermediate cert, dovecot 
started up fine.  Of course, there were so many things I looked into, it 
might have been something else I touched......

Stewart Dean wrote:
>
> Our DC has been using a Verisign certificate.  Over the past year, 
> we've been using a Digicert Wildcard Plus certificate for almost all 
> of our machines, and I wanted to switched over our DC mailserver.
>
> I used the following command to generate the CSR and key:
>
> openssl req -new -newkey rsa:1024 -nodes -out star_bard_edu.csr 
> -keyout star_bard_edu.key -subj "/C=US/ST=NY/L=ourtown/O=Bard College 
> IT/OU=Bard College /CN=*.bard.edu"
>
> The resultant CSR verified and I submitted it to digicert and got back 
> our cert, plus their intermediate and Trusted root certs.
> I killed the root instance of dovecot and waited for all the children 
> to die
> I put together the intermediate cert (first) and our cert (second) 
> into /usr/ssl/certs/dovecot.pem
> I put the key star_bard_edu.key in /var/ssl/private/dovecot.pem
>
> I restarted dovecot, but the imap login instances didn't appear, so I 
> shifted back to the original combined cert file and key, restarted 
> dovecot and it came up OK
>
> I check the syslog and saw these error messages:
>
> Jan  5 10:19:49 mercury mail:err|error dovecot: imap-login: Can't load 
> private k
> ey file /var/ssl/private/dovecot.pem: error:0B080074:x509 certificate 
> routines:X
> 509_check_private_key:key values mismatch
> Jan  5 10:19:49 mercury mail:err|error last message repeated 8 times
> Jan  5 10:19:49 mercury mail:err|error dovecot: child 4051108 (login) 
> returned e
> rror 89
> Jan  5 10:19:49 mercury mail:err|error dovecot: child 4231382 (login) 
> returned e
> rror 89
>
> I checked my key and it has the same time stamp as my CSR, so I didn't 
> somehow get the wrong key.  Both the old and new key are 600; if the 
> old one works based on perms, the new one should too.
>
> Would some kind soul tell me what I'm missing?  Or is there a problem 
> using wild card certificate with DC?  Is there an openssl command to 
> verify the key.  Or is it that the key is unencrypted?
>

-- 
==== Once upon a time, the Internet was a friendly, 
neighbors-helping-neighbors small town, and no one locked their doors. 
Now it's like an apartment in Bed-Stuy: you need three heavy duty 
pick-proof locks, one of those braces that goes from the lock to the 
floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin, 
Bard College, New York 12504 sdean at bard.edu voice: 845-758-7475, fax: 
845-758-7035