Discussion:
Securing imap with Letsencrypt
Milan Petrovic
2018-08-01 07:18:38 UTC
Permalink
Hi all,

I'm running a multidomain Kolab setup on Ubuntu, with Nginx.
I'm trying to make cyrus-imap to use the Letsencrypt certificates
without any success (the certs are working fine on the Nginx part,
also working fine for Active-sync connections).
The certificates are stored in /etc/letsencrypt/archive/my_domain/,
chmoded to 640, owned by root (I have tried to have them owned by a
group 'mail' or 'ssl-cert', nothing happens).
Whenever I point the "tls_client_ca_file", "tls_server_cert" and
"tls_server_key" of imapd.conf to letsencrypt certs, I get in the logs
the following:
Aug 1 02:10:50 collab imaps[28524]: unable to get certificate from
'/etc/letsencrypt/archive/my_domain/cert6.pem'
Aug 1 02:10:50 collab imaps[28524]: TLS server engine: cannot load
server cert/key data.
Aug 1 02:10:50 collab imaps[28524]: error initializing TLS
Aug 1 02:10:50 collab imaps[28524]: Fatal error: tls_init() failed


At some point in the past I see I have commented out the ldap
configuration from the imapd.conf, not sure when and why (both the
base ldap configuration and the addition at the end for the
multidomain setup), but uncommenting it makes the login within
roundcube unsuccessful.

Please help.

Thanks, Milan
Sruli Saurymper
2018-08-01 08:45:08 UTC
Permalink
Post by Milan Petrovic
Hi all,
I'm running a multidomain Kolab setup on Ubuntu, with Nginx.
I'm trying to make cyrus-imap to use the Letsencrypt certificates
without any success (the certs are working fine on the Nginx part,
also working fine for Active-sync connections).
The certificates are stored in /etc/letsencrypt/archive/my_domain/,
has cert6 maybe expired? why don't you point it to the symlink in
/etc/letsencrypt/live/my_domain/ as supposed to.
Post by Milan Petrovic
At some point in the past I see I have commented out the ldap
configuration from the imapd.conf, not sure when and why (both the
base ldap configuration and the addition at the end for the
multidomain setup), but uncommenting it makes the login within
roundcube unsuccessful.
Have you double checked
https://docs.kolab.org/howtos/secure-kolab-server.html to make sure all
your config is correct?
Post by Milan Petrovic
Please help.
Thanks, Milan
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
b***@free.fr
2018-08-01 09:05:08 UTC
Permalink
Hi,
Post by Milan Petrovic
Hi all,
I'm running a multidomain Kolab setup on Ubuntu, with Nginx.
I'm trying to make cyrus-imap to use the Letsencrypt certificates
without any success (the certs are working fine on the Nginx part,
also working fine for Active-sync connections).
The certificates are stored in /etc/letsencrypt/archive/my_domain/,
chmoded to 640, owned by root (I have tried to have them owned by a
group 'mail' or 'ssl-cert', nothing happens).
Whenever I point the "tls_client_ca_file", "tls_server_cert" and
"tls_server_key" of imapd.conf to letsencrypt certs, I get in the logs
Aug 1 02:10:50 collab imaps[28524]: unable to get certificate from
'/etc/letsencrypt/archive/my_domain/cert6.pem'
Aug 1 02:10:50 collab imaps[28524]: TLS server engine: cannot load
server cert/key data.
Aug 1 02:10:50 collab imaps[28524]: error initializing TLS
Aug 1 02:10:50 collab imaps[28524]: Fatal error: tls_init() failed
I do it too.

You used to have the following users in your group :
- cyrus
- postfix

And have group rights at least to "read" (+r) on your certificates.

Note that the folders sort of inherits the permissions from upper
folders, they have to be readeable (+r) and crossable (+x) by your group
too.

You may debug it simply by switching as they (like: su - cyrus
--shell=/bin/sh) and do some ls/cat to find what "breaks" the
authorization.
Post by Milan Petrovic
At some point in the past I see I have commented out the ldap
configuration from the imapd.conf, not sure when and why (both the
base ldap configuration and the addition at the end for the
multidomain setup), but uncommenting it makes the login within
roundcube unsuccessful.
Your users might be stored in cyrus instead of LDAP. In that case,
that's normal you can't log by LDAP because all your setup might depend
of IMAP authentication.
Post by Milan Petrovic
Please help.
Thanks, Milan
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Milan Petrovic
2018-08-01 09:39:15 UTC
Permalink
Seems like the access rights are the ones making the problem....

I have pointed the certs in the ../archive/ folder as I've read
somewhere they have to have 640 access rights. The certs in /live/ are
publicly available.

The issue seems to be that 'cyrus' user cannot read the certs in any
folder. When I do "sudo -u cyrus cat ..." I get the 'permission
denied' error even after adding the cyrus user to ssl-cert group or
even after I put the cyrus user and root group are owning the cert
file.

$ sudo ls -la /etc/letsencrypt/archive/my_domain/
total 104
drwxr-xr-x 2 root root 4096 May 28 16:51 .
drwxr-x--- 4 root root 4096 Feb 13 2017 ..
-rw-r--r-- 1 root root 1830 Feb 13 2017 cert1.pem
-rw-r--r-- 1 root root 1830 Jun 5 2017 cert2.pem
-rw-r--r-- 1 root root 1830 Sep 13 2017 cert3.pem
-rw-r--r-- 1 root root 1830 Dec 19 2017 cert4.pem
-rw-r--r-- 1 root root 1830 Feb 27 15:12 cert5.pem
-rw-r----- 1 root ssl-cert 2187 May 28 16:51 cert6.pem
-rw-r--r-- 1 root root 1647 Feb 13 2017 chain1.pem
-rw-r--r-- 1 root root 1647 Jun 5 2017 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 13 2017 chain3.pem
-rw-r--r-- 1 root root 1647 Dec 19 2017 chain4.pem
-rw-r--r-- 1 root root 1647 Feb 27 15:12 chain5.pem
-rw-r----- 1 root ssl-cert 1647 May 28 16:51 chain6.pem
-rw-r--r-- 1 root root 3477 Feb 13 2017 fullchain1.pem
-rw-r--r-- 1 root root 3477 Jun 5 2017 fullchain2.pem
-rw-r--r-- 1 root root 3477 Sep 13 2017 fullchain3.pem
-rw-r--r-- 1 root root 3477 Dec 19 2017 fullchain4.pem
-rw-r--r-- 1 root root 3477 Feb 27 15:12 fullchain5.pem
-rw-r----- 1 root ssl-cert 3834 May 28 16:51 fullchain6.pem
-rw-r--r-- 1 root root 1704 Feb 13 2017 privkey1.pem
-rw-r--r-- 1 root root 1704 Jun 5 2017 privkey2.pem
-rw-r--r-- 1 root root 1708 Sep 13 2017 privkey3.pem
-rw-r--r-- 1 root root 1708 Dec 19 2017 privkey4.pem
-rw-r--r-- 1 root root 1704 Feb 27 15:12 privkey5.pem
-rw-r----- 1 root ssl-cert 1708 May 28 16:51 privkey6.pem
$ groups cyrus
cyrus : mail sasl ssl-cert
$ sudo -u cyrus cat /etc/letsencrypt/archive/my_domain/cert6.pem
cat: /etc/letsencrypt/archive/my_domainm/cert6.pem: Permission denied
$

The certs are valid, btw, recently renewed, maybe a month ago.
Post by b***@free.fr
Hi,
Post by Milan Petrovic
Hi all,
I'm running a multidomain Kolab setup on Ubuntu, with Nginx.
I'm trying to make cyrus-imap to use the Letsencrypt certificates
without any success (the certs are working fine on the Nginx part,
also working fine for Active-sync connections).
The certificates are stored in /etc/letsencrypt/archive/my_domain/,
chmoded to 640, owned by root (I have tried to have them owned by a
group 'mail' or 'ssl-cert', nothing happens).
Whenever I point the "tls_client_ca_file", "tls_server_cert" and
"tls_server_key" of imapd.conf to letsencrypt certs, I get in the logs
Aug 1 02:10:50 collab imaps[28524]: unable to get certificate from
'/etc/letsencrypt/archive/my_domain/cert6.pem'
Aug 1 02:10:50 collab imaps[28524]: TLS server engine: cannot load
server cert/key data.
Aug 1 02:10:50 collab imaps[28524]: error initializing TLS
Aug 1 02:10:50 collab imaps[28524]: Fatal error: tls_init() failed
I do it too.
- cyrus
- postfix
And have group rights at least to "read" (+r) on your certificates.
Note that the folders sort of inherits the permissions from upper
folders, they have to be readeable (+r) and crossable (+x) by your group
too.
You may debug it simply by switching as they (like: su - cyrus
--shell=/bin/sh) and do some ls/cat to find what "breaks" the
authorization.
Post by Milan Petrovic
At some point in the past I see I have commented out the ldap
configuration from the imapd.conf, not sure when and why (both the
base ldap configuration and the addition at the end for the
multidomain setup), but uncommenting it makes the login within
roundcube unsuccessful.
Your users might be stored in cyrus instead of LDAP. In that case,
that's normal you can't log by LDAP because all your setup might depend
of IMAP authentication.
Post by Milan Petrovic
Please help.
Thanks, Milan
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Milan Petrovic
2018-08-01 10:05:48 UTC
Permalink
Nope, won't do the trick...

$ sudo ls -la /etc/letsencrypt/archive
total 16
drwxr-x--- 4 root root 4096 Feb 13 2017 .
drwxr-xr-x 9 root root 4096 Jun 4 18:42 ..
drwxr-xr-x 2 root ssl-cert 4096 May 28 16:51 my_domain
drwxr-xr-x 2 root root 4096 May 28 16:51 my_other_domain
$ sudo chmod 755 /etc/letsencrypt/archive/my_domain/
$ sudo ls -la /etc/letsencrypt/archive
total 16
drwxr-x--- 4 root root 4096 Feb 13 2017 .
drwxr-xr-x 9 root root 4096 Jun 4 18:42 ..
drwxr-xr-x 2 root ssl-cert 4096 May 28 16:51 my_domain
drwxr-xr-x 2 root root 4096 May 28 16:51 my_other_domain
$ sudo -u cyrus cat /etc/letsencrypt/archive/my_domain/cert6.pem
cat: /etc/letsencrypt/archive/my_domain/cert6.pem: Permission denied
$
Hej,
maybe the problem are the permissions of /etc/letsencrypt/archive there
only root has the right to read
(> drwxr-x--- 4 root root 4096 Feb 13 2017 ..)
I changed it to 755.
Lasse
Post by Milan Petrovic
Seems like the access rights are the ones making the problem....
I have pointed the certs in the ../archive/ folder as I've read
somewhere they have to have 640 access rights. The certs in /live/ are
publicly available.
The issue seems to be that 'cyrus' user cannot read the certs in any
folder. When I do "sudo -u cyrus cat ..." I get the 'permission
denied' error even after adding the cyrus user to ssl-cert group or
even after I put the cyrus user and root group are owning the cert
file.
$ sudo ls -la /etc/letsencrypt/archive/my_domain/
total 104
drwxr-xr-x 2 root root 4096 May 28 16:51 .
drwxr-x--- 4 root root 4096 Feb 13 2017 ..
-rw-r--r-- 1 root root 1830 Feb 13 2017 cert1.pem
-rw-r--r-- 1 root root 1830 Jun 5 2017 cert2.pem
-rw-r--r-- 1 root root 1830 Sep 13 2017 cert3.pem
-rw-r--r-- 1 root root 1830 Dec 19 2017 cert4.pem
-rw-r--r-- 1 root root 1830 Feb 27 15:12 cert5.pem
-rw-r----- 1 root ssl-cert 2187 May 28 16:51 cert6.pem
-rw-r--r-- 1 root root 1647 Feb 13 2017 chain1.pem
-rw-r--r-- 1 root root 1647 Jun 5 2017 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 13 2017 chain3.pem
-rw-r--r-- 1 root root 1647 Dec 19 2017 chain4.pem
-rw-r--r-- 1 root root 1647 Feb 27 15:12 chain5.pem
-rw-r----- 1 root ssl-cert 1647 May 28 16:51 chain6.pem
-rw-r--r-- 1 root root 3477 Feb 13 2017 fullchain1.pem
-rw-r--r-- 1 root root 3477 Jun 5 2017 fullchain2.pem
-rw-r--r-- 1 root root 3477 Sep 13 2017 fullchain3.pem
-rw-r--r-- 1 root root 3477 Dec 19 2017 fullchain4.pem
-rw-r--r-- 1 root root 3477 Feb 27 15:12 fullchain5.pem
-rw-r----- 1 root ssl-cert 3834 May 28 16:51 fullchain6.pem
-rw-r--r-- 1 root root 1704 Feb 13 2017 privkey1.pem
-rw-r--r-- 1 root root 1704 Jun 5 2017 privkey2.pem
-rw-r--r-- 1 root root 1708 Sep 13 2017 privkey3.pem
-rw-r--r-- 1 root root 1708 Dec 19 2017 privkey4.pem
-rw-r--r-- 1 root root 1704 Feb 27 15:12 privkey5.pem
-rw-r----- 1 root ssl-cert 1708 May 28 16:51 privkey6.pem
$ groups cyrus
cyrus : mail sasl ssl-cert
$ sudo -u cyrus cat /etc/letsencrypt/archive/my_domain/cert6.pem
cat: /etc/letsencrypt/archive/my_domainm/cert6.pem: Permission denied
$
The certs are valid, btw, recently renewed, maybe a month ago.
Post by b***@free.fr
Hi,
Post by Milan Petrovic
Hi all,
I'm running a multidomain Kolab setup on Ubuntu, with Nginx.
I'm trying to make cyrus-imap to use the Letsencrypt certificates
without any success (the certs are working fine on the Nginx part,
also working fine for Active-sync connections).
The certificates are stored in /etc/letsencrypt/archive/my_domain/,
chmoded to 640, owned by root (I have tried to have them owned by a
group 'mail' or 'ssl-cert', nothing happens).
Whenever I point the "tls_client_ca_file", "tls_server_cert" and
"tls_server_key" of imapd.conf to letsencrypt certs, I get in the logs
Aug 1 02:10:50 collab imaps[28524]: unable to get certificate from
'/etc/letsencrypt/archive/my_domain/cert6.pem'
Aug 1 02:10:50 collab imaps[28524]: TLS server engine: cannot load
server cert/key data.
Aug 1 02:10:50 collab imaps[28524]: error initializing TLS
Aug 1 02:10:50 collab imaps[28524]: Fatal error: tls_init() failed
I do it too.
- cyrus
- postfix
And have group rights at least to "read" (+r) on your certificates.
Note that the folders sort of inherits the permissions from upper
folders, they have to be readeable (+r) and crossable (+x) by your group
too.
You may debug it simply by switching as they (like: su - cyrus
--shell=/bin/sh) and do some ls/cat to find what "breaks" the
authorization.
Post by Milan Petrovic
At some point in the past I see I have commented out the ldap
configuration from the imapd.conf, not sure when and why (both the
base ldap configuration and the addition at the end for the
multidomain setup), but uncommenting it makes the login within
roundcube unsuccessful.
Your users might be stored in cyrus instead of LDAP. In that case,
that's normal you can't log by LDAP because all your setup might depend
of IMAP authentication.
Post by Milan Petrovic
Please help.
Thanks, Milan
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Milan Petrovic
2018-08-01 10:22:28 UTC
Permalink
That DID the trick!!

Lasse, THANKS A LOT!

Haven't slept almost two days, desperately trying to fix this.

You have no idea how you made me happy now!

Man! I would have never tried this myself... Thanks A LOT!
it is the permission of the folder /etc/letsencrypt/archive/, so try
sudo chmod 755 /etc/letsencrypt/archive/
Post by Milan Petrovic
Nope, won't do the trick...
$ sudo ls -la /etc/letsencrypt/archive
total 16
drwxr-x--- 4 root root 4096 Feb 13 2017 .
drwxr-xr-x 9 root root 4096 Jun 4 18:42 ..
drwxr-xr-x 2 root ssl-cert 4096 May 28 16:51 my_domain
drwxr-xr-x 2 root root 4096 May 28 16:51 my_other_domain
$ sudo chmod 755 /etc/letsencrypt/archive/my_domain/
$ sudo ls -la /etc/letsencrypt/archive
total 16
drwxr-x--- 4 root root 4096 Feb 13 2017 .
drwxr-xr-x 9 root root 4096 Jun 4 18:42 ..
drwxr-xr-x 2 root ssl-cert 4096 May 28 16:51 my_domain
drwxr-xr-x 2 root root 4096 May 28 16:51 my_other_domain
$ sudo -u cyrus cat /etc/letsencrypt/archive/my_domain/cert6.pem
cat: /etc/letsencrypt/archive/my_domain/cert6.pem: Permission denied
$
Hej,
maybe the problem are the permissions of /etc/letsencrypt/archive there
only root has the right to read
(> drwxr-x--- 4 root root 4096 Feb 13 2017 ..)
I changed it to 755.
Lasse
Post by Milan Petrovic
Seems like the access rights are the ones making the problem....
I have pointed the certs in the ../archive/ folder as I've read
somewhere they have to have 640 access rights. The certs in /live/ are
publicly available.
The issue seems to be that 'cyrus' user cannot read the certs in any
folder. When I do "sudo -u cyrus cat ..." I get the 'permission
denied' error even after adding the cyrus user to ssl-cert group or
even after I put the cyrus user and root group are owning the cert
file.
$ sudo ls -la /etc/letsencrypt/archive/my_domain/
total 104
drwxr-xr-x 2 root root 4096 May 28 16:51 .
drwxr-x--- 4 root root 4096 Feb 13 2017 ..
-rw-r--r-- 1 root root 1830 Feb 13 2017 cert1.pem
-rw-r--r-- 1 root root 1830 Jun 5 2017 cert2.pem
-rw-r--r-- 1 root root 1830 Sep 13 2017 cert3.pem
-rw-r--r-- 1 root root 1830 Dec 19 2017 cert4.pem
-rw-r--r-- 1 root root 1830 Feb 27 15:12 cert5.pem
-rw-r----- 1 root ssl-cert 2187 May 28 16:51 cert6.pem
-rw-r--r-- 1 root root 1647 Feb 13 2017 chain1.pem
-rw-r--r-- 1 root root 1647 Jun 5 2017 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 13 2017 chain3.pem
-rw-r--r-- 1 root root 1647 Dec 19 2017 chain4.pem
-rw-r--r-- 1 root root 1647 Feb 27 15:12 chain5.pem
-rw-r----- 1 root ssl-cert 1647 May 28 16:51 chain6.pem
-rw-r--r-- 1 root root 3477 Feb 13 2017 fullchain1.pem
-rw-r--r-- 1 root root 3477 Jun 5 2017 fullchain2.pem
-rw-r--r-- 1 root root 3477 Sep 13 2017 fullchain3.pem
-rw-r--r-- 1 root root 3477 Dec 19 2017 fullchain4.pem
-rw-r--r-- 1 root root 3477 Feb 27 15:12 fullchain5.pem
-rw-r----- 1 root ssl-cert 3834 May 28 16:51 fullchain6.pem
-rw-r--r-- 1 root root 1704 Feb 13 2017 privkey1.pem
-rw-r--r-- 1 root root 1704 Jun 5 2017 privkey2.pem
-rw-r--r-- 1 root root 1708 Sep 13 2017 privkey3.pem
-rw-r--r-- 1 root root 1708 Dec 19 2017 privkey4.pem
-rw-r--r-- 1 root root 1704 Feb 27 15:12 privkey5.pem
-rw-r----- 1 root ssl-cert 1708 May 28 16:51 privkey6.pem
$ groups cyrus
cyrus : mail sasl ssl-cert
$ sudo -u cyrus cat /etc/letsencrypt/archive/my_domain/cert6.pem
cat: /etc/letsencrypt/archive/my_domainm/cert6.pem: Permission denied
$
The certs are valid, btw, recently renewed, maybe a month ago.
Post by b***@free.fr
Hi,
Post by Milan Petrovic
Hi all,
I'm running a multidomain Kolab setup on Ubuntu, with Nginx.
I'm trying to make cyrus-imap to use the Letsencrypt certificates
without any success (the certs are working fine on the Nginx part,
also working fine for Active-sync connections).
The certificates are stored in /etc/letsencrypt/archive/my_domain/,
chmoded to 640, owned by root (I have tried to have them owned by a
group 'mail' or 'ssl-cert', nothing happens).
Whenever I point the "tls_client_ca_file", "tls_server_cert" and
"tls_server_key" of imapd.conf to letsencrypt certs, I get in the logs
Aug 1 02:10:50 collab imaps[28524]: unable to get certificate from
'/etc/letsencrypt/archive/my_domain/cert6.pem'
Aug 1 02:10:50 collab imaps[28524]: TLS server engine: cannot load
server cert/key data.
Aug 1 02:10:50 collab imaps[28524]: error initializing TLS
Aug 1 02:10:50 collab imaps[28524]: Fatal error: tls_init() failed
I do it too.
- cyrus
- postfix
And have group rights at least to "read" (+r) on your certificates.
Note that the folders sort of inherits the permissions from upper
folders, they have to be readeable (+r) and crossable (+x) by your group
too.
You may debug it simply by switching as they (like: su - cyrus
--shell=/bin/sh) and do some ls/cat to find what "breaks" the
authorization.
Post by Milan Petrovic
At some point in the past I see I have commented out the ldap
configuration from the imapd.conf, not sure when and why (both the
base ldap configuration and the addition at the end for the
multidomain setup), but uncommenting it makes the login within
roundcube unsuccessful.
Your users might be stored in cyrus instead of LDAP. In that case,
that's normal you can't log by LDAP because all your setup might depend
of IMAP authentication.
Post by Milan Petrovic
Please help.
Thanks, Milan
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Lasse Wiedemann
2018-08-01 10:03:57 UTC
Permalink
Hej,

maybe the problem are the permissions of /etc/letsencrypt/archive there
only root has the right to read
(> drwxr-x--- 4 root root 4096 Feb 13 2017 ..)

I changed it to 755.

Lasse
Post by Milan Petrovic
Seems like the access rights are the ones making the problem....
I have pointed the certs in the ../archive/ folder as I've read
somewhere they have to have 640 access rights. The certs in /live/ are
publicly available.
The issue seems to be that 'cyrus' user cannot read the certs in any
folder. When I do "sudo -u cyrus cat ..." I get the 'permission
denied' error even after adding the cyrus user to ssl-cert group or
even after I put the cyrus user and root group are owning the cert
file.
$ sudo ls -la /etc/letsencrypt/archive/my_domain/
total 104
drwxr-xr-x 2 root root 4096 May 28 16:51 .
drwxr-x--- 4 root root 4096 Feb 13 2017 ..
-rw-r--r-- 1 root root 1830 Feb 13 2017 cert1.pem
-rw-r--r-- 1 root root 1830 Jun 5 2017 cert2.pem
-rw-r--r-- 1 root root 1830 Sep 13 2017 cert3.pem
-rw-r--r-- 1 root root 1830 Dec 19 2017 cert4.pem
-rw-r--r-- 1 root root 1830 Feb 27 15:12 cert5.pem
-rw-r----- 1 root ssl-cert 2187 May 28 16:51 cert6.pem
-rw-r--r-- 1 root root 1647 Feb 13 2017 chain1.pem
-rw-r--r-- 1 root root 1647 Jun 5 2017 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 13 2017 chain3.pem
-rw-r--r-- 1 root root 1647 Dec 19 2017 chain4.pem
-rw-r--r-- 1 root root 1647 Feb 27 15:12 chain5.pem
-rw-r----- 1 root ssl-cert 1647 May 28 16:51 chain6.pem
-rw-r--r-- 1 root root 3477 Feb 13 2017 fullchain1.pem
-rw-r--r-- 1 root root 3477 Jun 5 2017 fullchain2.pem
-rw-r--r-- 1 root root 3477 Sep 13 2017 fullchain3.pem
-rw-r--r-- 1 root root 3477 Dec 19 2017 fullchain4.pem
-rw-r--r-- 1 root root 3477 Feb 27 15:12 fullchain5.pem
-rw-r----- 1 root ssl-cert 3834 May 28 16:51 fullchain6.pem
-rw-r--r-- 1 root root 1704 Feb 13 2017 privkey1.pem
-rw-r--r-- 1 root root 1704 Jun 5 2017 privkey2.pem
-rw-r--r-- 1 root root 1708 Sep 13 2017 privkey3.pem
-rw-r--r-- 1 root root 1708 Dec 19 2017 privkey4.pem
-rw-r--r-- 1 root root 1704 Feb 27 15:12 privkey5.pem
-rw-r----- 1 root ssl-cert 1708 May 28 16:51 privkey6.pem
$ groups cyrus
cyrus : mail sasl ssl-cert
$ sudo -u cyrus cat /etc/letsencrypt/archive/my_domain/cert6.pem
cat: /etc/letsencrypt/archive/my_domainm/cert6.pem: Permission denied
$
The certs are valid, btw, recently renewed, maybe a month ago.
Post by b***@free.fr
Hi,
Post by Milan Petrovic
Hi all,
I'm running a multidomain Kolab setup on Ubuntu, with Nginx.
I'm trying to make cyrus-imap to use the Letsencrypt certificates
without any success (the certs are working fine on the Nginx part,
also working fine for Active-sync connections).
The certificates are stored in /etc/letsencrypt/archive/my_domain/,
chmoded to 640, owned by root (I have tried to have them owned by a
group 'mail' or 'ssl-cert', nothing happens).
Whenever I point the "tls_client_ca_file", "tls_server_cert" and
"tls_server_key" of imapd.conf to letsencrypt certs, I get in the logs
Aug 1 02:10:50 collab imaps[28524]: unable to get certificate from
'/etc/letsencrypt/archive/my_domain/cert6.pem'
Aug 1 02:10:50 collab imaps[28524]: TLS server engine: cannot load
server cert/key data.
Aug 1 02:10:50 collab imaps[28524]: error initializing TLS
Aug 1 02:10:50 collab imaps[28524]: Fatal error: tls_init() failed
I do it too.
- cyrus
- postfix
And have group rights at least to "read" (+r) on your certificates.
Note that the folders sort of inherits the permissions from upper
folders, they have to be readeable (+r) and crossable (+x) by your group
too.
You may debug it simply by switching as they (like: su - cyrus
--shell=/bin/sh) and do some ls/cat to find what "breaks" the
authorization.
Post by Milan Petrovic
At some point in the past I see I have commented out the ldap
configuration from the imapd.conf, not sure when and why (both the
base ldap configuration and the addition at the end for the
multidomain setup), but uncommenting it makes the login within
roundcube unsuccessful.
Your users might be stored in cyrus instead of LDAP. In that case,
that's normal you can't log by LDAP because all your setup might depend
of IMAP authentication.
Post by Milan Petrovic
Please help.
Thanks, Milan
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Loading...