Good day! I'm having trouble changing certificate/keys for my dovecot(version 1.2.9). When I set up the server (unbuntu lts 10.4.4) I did it with a self-signed certificate. I can't remember exactly what I did, just that I followed the wiki and it worked fine =) Now I have to change the certificate because a friend bought an official one (from thawte) and I'm a bit stumped. As dovecot can use supposedly use the same file for both key and cert file, I copied the new certificate to /etc/ssl/private/dovecot.pem and to /etc/ssl/certs/dovecot.pem. next I get from managesieve-login, pop3-login and imap-login the following log entries: Fatal: Can't load private key file /etc/ssl/private/dovecot.pem: Key is for a different cert than /etc/ssl/certs/dovecot.pem some googling brought up the file ssl-cert-snakeoil.key in /etc/ssl/private and /etc/ssl/certs that some people change in that context. As I also have a symlink /etc/ssl/private/ssl-mail.key that points to /etc/ssl/private/ssl-cert-snakeoil.key I'm starting to be confused (even more). dovecot is using the dovecot.pem-files, who/what uses the ssl-mail.key? I'm pretty sure I'm just overlooking something completely obvious, but what? =) greetings silvia -- NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a
On 06/11/2012 08:28 AM, oni-neko at gmx.net wrote:> Good day! > > I'm having trouble changing certificate/keys for my dovecot(version 1.2.9). > When I set up the server (unbuntu lts 10.4.4) I did it with a self-signed certificate. I can't remember exactly what I did, just that I followed the wiki and it worked fine =) > > Now I have to change the certificate because a friend bought an official one (from thawte) and I'm a bit stumped. > As dovecot can use supposedly use the same file for both key and cert file, I copied the new certificate to /etc/ssl/private/dovecot.pem and to /etc/ssl/certs/dovecot.pem.Are both files identical, do they both contain the private key? Why keep two copies of the same file? That's confusing. If you don't want to use separate files for the certificate and the private key then just concatenate them both in a single file, private key first, and make sure it's owned by root and readable by no one but root. Then just point ssl_cert_file and ssl_key_file to the same file. That should be more clear and consistent. Your file should look like this: -----BEGIN PRIVATE KEY----- ....etc... -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- ....etc... -----END CERTIFICATE----- Followed by any intermediate CA certificates that might be necessary.> some googling brought up the file ssl-cert-snakeoil.key in /etc/ssl/private and /etc/ssl/certs that some people change in that context. As I also have a symlink /etc/ssl/private/ssl-mail.key that points to /etc/ssl/private/ssl-cert-snakeoil.key I'm starting to be confused (even more). dovecot is using the dovecot.pem-files, who/what uses the ssl-mail.key?If there's no reference to this file in dovecot's configuration then dovecot isn't using it. Maybe someone else e.g. postfix, maybe someone used to use it.. does it matter? It doesn't look like this is the source of your trouble.
thank you for your answer! -------- Original-Nachricht --------> Datum: Mon, 11 Jun 2012 15:39:39 -0400 > Von: Gedalya <gedalya at gedalya.net> > An: dovecot at dovecot.org > Betreff: Re: [Dovecot] question about changing certificate> Are both files identical, do they both contain the private key?umm, no, ok, I think I see at least part of the problem: I have only the certificate, but no key =/ durr, ok, that is way obvious as a problem. next question: do I need the key to use the certificate or can I only use the certificate and leave the value of ssl_key_file empty? thank you for answering my obviously quite, umm, uninformed questions =) greetings silvia -- NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a