Dovecot fails to 'initialize SSL server context'

Rocky Linux Help & Support
1

I am configuring a new mailserver. Postfix seems to work and is getting configured according to our wishes. Dovecot is more stubborn: for some reason I’m not able to understand it refuses to “initialize SSL server context”, complaining that “Can’t load SSl Certificate”. I believe I am trying to use the same certificate (and accompanying key) provided in the same files for Dovecot that I use for https. Dovecot seems to want something different.
I looked at error:14187180. All I found were old posts on errors with the location where Certificate and Key are kept. I tried a ‘special’ location but that it not solve the issue.

I posed this issue on the dovecot list and got a reply that suggests an Openssl issue;
'Dovecot 2.3 does not have OpenSSL 3.x support from us, you are using 3rd party patch. Please open bug with Rocky Linux about this.’

I would love to hear from someone who has this (more than once recommended) configuration (below) working.
Hints on what I am/might be missing are of course welcome from all sages.

Jaap

Environment & tests

Server

  • Rocky Linux 9.6 kernel 5.14.0-570.28.1
  • Dovecot 2.3.21.1
  • Openssl 3.2.2
  • Certbot 3.1.0

Httpd (to check certificate)

ssl-config:

  • Include /etc/letsencrypt/options-ssl-apache.conf
  • SSLCertificateFile /etc/letsencrypt/live/radicale.camelopardus.nl/fullchain.pem
  • SSLCertificateKeyFile /etc/letsencrypt/live/radicale.camelopardus.nl/privkey.pem

Command on test-client: openssl s_client -connect radicale.camelopardus.nl:https

reply on client:

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = E6
verify return:1
depth=0 CN = radicale.camelopardus.nl
verify return:1

Https is functioning as expected.

Dovecot

conf.d/10-ssl.conf:

  • ssl_cert = </etc/letsencrypt/live/radicale.camelopardus.nl/fullchain.pem
  • ssl_key = </etc/letsencrypt/live/radicale.camelopardus.nl/privkey.pem

command from client:

openssl s_client -connect radicale.camelopardus.nl:imaps

reply on client:

CONNECTED(00000003)
write:errno=104
no peer certificate available

Dovecot is not functioning at all. Not for Thunderbird nor for this test.

The Dovecot log on server:

imap-login: Error: Failed to initialize SSL server context:
Can’t load SSL certificate (ssl_cert setting): error:14187180:
SSL routines:ssl_do_config:bad value: section=system_default, cmd=Groups,
arg=X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192:
user=<>, rip=2a10:3781:5ab:1:ff51:cbd1:4d54:fb7b, lip=2a10:3781:5ab:10::aaf,

2

file privileges on the certs is correct for dovecot ?

Any SELinux errors ?

3

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.