dovecot - Jun 2015 - Testin new installation

The public  cert part is good, but the private one begins with "Begin
private key", not "RSA key."

On Sun, 14 Jun 2015 15:54:23 +0200, you wrote:
>Am 13.06.2015 um 22:11 schrieb Steve Matzura:
>> On Sat, 13 Jun 2015 21:57:06 +0200, you wrote:
>>
>>> On Sat, Jun 13, 2015 at 03:41:26PM -0400, Steve Matzura wrote:
>>>>>>>> Trying ::1... # this is certainly suspect
>>>>>>>> Escape character is '^['.
>>>>>>>> Connection closed by foreign host.
>>>
>>> This means the daemon is listening but errors out before able to
process.
>>> Check the logs.
>>> Might be a dependency not starting, wrong permissions, certificate
wrong/expired, etc..
>>
>> Oh yes! Sorry for not having checked this before.
>>
>> Jun 13 18:50:56 <my-node> dovecot: master: Error:
service(pop3-login):
>> command startup failed, throttling for 2 secs
>> Jun 13 19:30:26 <my-node> dovecot: imap-login: Error: SSL:
Stacked
>> error: error:0608308E:digital envelope
>> routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
>> Jun 13 19:30:26 <my-node> dovecot: imap-login: Fatal: Can't
load
>> ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line
>> Jun 13 19:30:26 <my-node> dovecot: master: Error:
service(imap-login):
>> command startup failed, throttling for 60 secs
>> Jun 13 19:31:27 <my-node> dovecot: imap-login: Error: SSL:
Stacked
>> error: error:0608308E:digital envelope
>> routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
>> Jun 13 19:31:27 <my-node> dovecot: imap-login: Fatal: Can't
load
>> ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line
>> Jun 13 19:31:27 <my-node> dovecot: master: Error:
service(imap-login):
>> command startup failed, throttling for 60 secs
>> Jun 13 19:33:04 <my-node> dovecot: imap-login: Error: SSL:
Stacked
>> error: error:0608308E:digital envelope
>> routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
>> Jun 13 19:33:04 <my-node> dovecot: imap-login: Fatal: Can't
load
>> ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line
>> Jun 13 19:33:04 <my-node> dovecot: master: Error:
service(imap-login):
>> command startup failed, throttling for 60 secs
>>
>> I thought this was a possibility. It probably means I have
>> concatenated incorrect elements to form the certificate files.
>>
>
>Looks like there is something wrong with the format of your 
>certificates. Do your files contain the start and end lines?
>
>
>The private key file should look like this:
>-----BEGIN RSA PRIVATE KEY-----
>cWgpJPyTE7yxI7cqREE8ULqn4eVJ85YckBNooOXGiumSkoTske7XIGNvRQWkpFUN
>[...]
>4LMADvl806xkVkoWDGqJvN2MrN4qeRWuiTQ4tqmi0xp8wfoKWD0q4A=>-----END RSA
PRIVATE KEY-----
>
>
>The public certificates file should look like this:
>-----BEGIN CERTIFICATE-----
>DwAwggEKAoIBAQCxpX2YsLeMT3GIMDtdJIoVkT+qe5PrpPL3omglJ+sKXnulM8JP
>[... more stuff from your domains cert ...]
>VmXZvW8oF1yaSQ/lSXZZ5Cg7mFZqqGrO5Sr15ZrduPlgdQ=>-----END CERTIFICATE-----
>-----BEGIN CERTIFICATE-----
>MDBaFw0yNDAyMjAxMDAwMDBaMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
>[... more stuff from your intermediate cert ...]
>AQAwHQYDVR0OBBYEFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MEUGA1UdIAQ+MDwwOg=>-----END
CERTIFICATE-----

I think I saw mention of "notepad" previously.  If this is the case
there may be some "dos" formatting that is messing things up.

On Jun 14, 2015, at 12:10 PM, Steve Matzura wrote:
> The public  cert part is good, but the private one begins with "Begin
> private key", not "RSA key."
> 
> On Sun, 14 Jun 2015 15:54:23 +0200, you wrote:
> 
>> Am 13.06.2015 um 22:11 schrieb Steve Matzura:
>>> On Sat, 13 Jun 2015 21:57:06 +0200, you wrote:
>>> 
>>>> On Sat, Jun 13, 2015 at 03:41:26PM -0400, Steve Matzura wrote:
>>>>>>>>> Trying ::1... # this is certainly suspect
>>>>>>>>> Escape character is '^['.
>>>>>>>>> Connection closed by foreign host.
>>>> 
>>>> This means the daemon is listening but errors out before able
to process.
>>>> Check the logs.
>>>> Might be a dependency not starting, wrong permissions,
certificate wrong/expired, etc..
>>> 
>>> Oh yes! Sorry for not having checked this before.
>>> 
>>> Jun 13 18:50:56 <my-node> dovecot: master: Error:
service(pop3-login):
>>> command startup failed, throttling for 2 secs
>>> Jun 13 19:30:26 <my-node> dovecot: imap-login: Error: SSL:
Stacked
>>> error: error:0608308E:digital envelope
>>> routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
>>> Jun 13 19:30:26 <my-node> dovecot: imap-login: Fatal:
Can't load
>>> ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line
>>> Jun 13 19:30:26 <my-node> dovecot: master: Error:
service(imap-login):
>>> command startup failed, throttling for 60 secs
>>> Jun 13 19:31:27 <my-node> dovecot: imap-login: Error: SSL:
Stacked
>>> error: error:0608308E:digital envelope
>>> routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
>>> Jun 13 19:31:27 <my-node> dovecot: imap-login: Fatal:
Can't load
>>> ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line
>>> Jun 13 19:31:27 <my-node> dovecot: master: Error:
service(imap-login):
>>> command startup failed, throttling for 60 secs
>>> Jun 13 19:33:04 <my-node> dovecot: imap-login: Error: SSL:
Stacked
>>> error: error:0608308E:digital envelope
>>> routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
>>> Jun 13 19:33:04 <my-node> dovecot: imap-login: Fatal:
Can't load
>>> ssl_cert: error:0906D06C:PEM routines:PEM_read_bio:no start line
>>> Jun 13 19:33:04 <my-node> dovecot: master: Error:
service(imap-login):
>>> command startup failed, throttling for 60 secs
>>> 
>>> I thought this was a possibility. It probably means I have
>>> concatenated incorrect elements to form the certificate files.
>>> 
>> 
>> Looks like there is something wrong with the format of your 
>> certificates. Do your files contain the start and end lines?
>> 
>> 
>> The private key file should look like this:
>> -----BEGIN RSA PRIVATE KEY-----
>> cWgpJPyTE7yxI7cqREE8ULqn4eVJ85YckBNooOXGiumSkoTske7XIGNvRQWkpFUN
>> [...]
>> 4LMADvl806xkVkoWDGqJvN2MrN4qeRWuiTQ4tqmi0xp8wfoKWD0q4A=>>
-----END RSA PRIVATE KEY-----
>> 
>> 
>> The public certificates file should look like this:
>> -----BEGIN CERTIFICATE-----
>> DwAwggEKAoIBAQCxpX2YsLeMT3GIMDtdJIoVkT+qe5PrpPL3omglJ+sKXnulM8JP
>> [... more stuff from your domains cert ...]
>> VmXZvW8oF1yaSQ/lSXZZ5Cg7mFZqqGrO5Sr15ZrduPlgdQ=>> -----END
CERTIFICATE-----
>> -----BEGIN CERTIFICATE-----
>> MDBaFw0yNDAyMjAxMDAwMDBaMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
>> [... more stuff from your intermediate cert ...]
>> AQAwHQYDVR0OBBYEFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MEUGA1UdIAQ+MDwwOg=>>
-----END CERTIFICATE-----

On Sun, 14 Jun 2015 12:30:40 -0500, you wrote:
>I think I saw mention of "notepad" previously.  If this is the
case there may be some "dos" formatting that is messing things up.
I didn't do it with Notepad. In fact, I did it on the Linux system in
question using nano.

Gere's the command I used to generate the CSR. It is really one line,
even though your message display program may cause it to wrap midway:

openssl req -nodes -newkey rsa:2048 -sha1 -keyout myserver.key -out
server.csr

Am Sonntag, den 14.06.2015, 13:10 -0400 schrieb Steve
Matzura:
> The public  cert part is good, but the private one begins with "Begin
> private key", not "RSA key."
> 
I generated my own dovecot CSR with certtool from gnutls-bin which
indeed adds 'RSA Private Key'
But that openssl command you used does it without the RSA


If the Key and Certificate has been correctly generated can be checked
with the gnutls certtool:
1
certtool -k < myserver.key | less
certtool -i < cert.pem | less (or whatever you called the signed
certificate)

It outputs the key with the RSA line added. Maybe just try that out