dovecot - Feb 2015 - /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism

Hi,

this is not a genuine Dovecot bug, more a nuisance.
It applies to OpenSuse 13.2 but maybe also to other Linux's.

The standard installation of Dovecot (especially 10-ssl.conf) places the 
certificate dovecot.pem in /etc/ssl/certs.
Sometimes during updates does OpenSuse renew all certificates in /etc/ssl/certs 
and erases dovecot.pem. This blocks further access to the mailbox.

I found a similar report here:
  https://bbs.archlinux.de/viewtopic.php?id=27288

Workaround: Move dovecot.pem to another directory and change 10-ssl.conf 
accordingly.

Regards

Wolfgang Gross

--
Dr. W. Gross
Sektion Chirurgische Forschung
Klinik f?r Allgemein-, Viszeral- und Transplantationschirurgie
Universit?tsklinikum Heidelberg
Im Neuenheimer Feld 365, D-69120 Heidelberg, Germany
Tel. ++49 (0)6221/566392, Fax: ++49 (0)6221/566402
WGross at uni-hd.de

This directory in later times is where more and more distros are
putting system wide server CA type certs, most distros are moving to
this path, so the package maintainer should fix their script, maybe to
/etc/ssl/private or such.


On 2/16/15, Wolfgang Gross <WGross at uni-hd.de>
wrote:
> Hi,
>
> this is not a genuine Dovecot bug, more a nuisance.
> It applies to OpenSuse 13.2 but maybe also to other Linux's.
>
> The standard installation of Dovecot (especially 10-ssl.conf) places the
> certificate dovecot.pem in /etc/ssl/certs.
> Sometimes during updates does OpenSuse renew all certificates in
> /etc/ssl/certs
> and erases dovecot.pem. This blocks further access to the mailbox.
>
> I found a similar report here:
>   https://bbs.archlinux.de/viewtopic.php?id=27288
>
> Workaround: Move dovecot.pem to another directory and change 10-ssl.conf
> accordingly.
>
> Regards
>
> Wolfgang Gross
>
> --
> Dr. W. Gross
> Sektion Chirurgische Forschung
> Klinik f?r Allgemein-, Viszeral- und Transplantationschirurgie
> Universit?tsklinikum Heidelberg
> Im Neuenheimer Feld 365, D-69120 Heidelberg, Germany
> Tel. ++49 (0)6221/566392, Fax: ++49 (0)6221/566402
> WGross at uni-hd.de
>

On 16 Feb 2015 at 21:59, Nick Edwards wrote:
> This directory in later times is where more and more distros are
> putting system wide server CA type certs, most distros are moving to
> this path, so the package maintainer should fix their script, maybe to
> /etc/ssl/private or such.
Maybe not in /etc/ssl/private for security reasons?
10-ssl.conf uses the same file name for certificate and private key; better 
change this, too.
> 
> On 2/16/15, Wolfgang Gross <WGross at uni-hd.de> wrote:
> > Hi,
> >
> > this is not a genuine Dovecot bug, more a nuisance.
> > It applies to OpenSuse 13.2 but maybe also to other Linux's.
> >
> > The standard installation of Dovecot (especially 10-ssl.conf) places
the
> > certificate dovecot.pem in /etc/ssl/certs.
> > Sometimes during updates does OpenSuse renew all certificates in
> > /etc/ssl/certs
> > and erases dovecot.pem. This blocks further access to the mailbox.
> >
> > I found a similar report here:
> >   https://bbs.archlinux.de/viewtopic.php?id=27288
> >

On Mon, 16 Feb 2015 10:09:16 +0100
"Wolfgang Gross" <WGross at uni-hd.de> wrote:
> Hi,
> 
> this is not a genuine Dovecot bug, more a nuisance.
> It applies to OpenSuse 13.2 but maybe also to other Linux's.
> 
> The standard installation of Dovecot (especially 10-ssl.conf) places
> the certificate dovecot.pem in /etc/ssl/certs.
> Sometimes during updates does OpenSuse renew all certificates
> in /etc/ssl/certs and erases dovecot.pem. This blocks further access
> to the mailbox.
> 
> I found a similar report here:
>   https://bbs.archlinux.de/viewtopic.php?id=27288
> 
> Workaround: Move dovecot.pem to another directory and change
> 10-ssl.conf accordingly.
This is *not* our update mechanism. This is update-ca-certificates,
which will wipe /etc/ssl/certs/ when it is called. This can happen to
you on any distro using it. My recommendation is to
use /etc/ssl/private/ for all service related files. Certs and keys.

HTH

    darix

-- 
          openSUSE - SUSE Linux is my linux
              openSUSE is good for you
                  www.opensuse.org