Issue
Cyrus + LetsEncrypt
May 3 16:12:52 gateway imaps[28003]: unable to get certificate from '/etc/letsencrypt/live/nutterpc.com/fullchain.pem'
May 3 16:12:52 gateway imaps[28003]: TLS server engine: cannot load cert/key data
May 3 16:12:52 gateway imaps[28003]: error initializing TLS
May 3 16:12:52 gateway imaps[28003]: Fatal error: tls_init() failed
This is after trying to follow the guide from:
https://documentation.clearos.com/content:en_us:kb_howtos_using_letsencrypt_certificates_for_mail
Which i followed it, had email flowing nicely before, but just not using the Letsencrypt certificates. Which shouldn't be too hard right? There's a guide for it on their site, that should work
How wrong i was. Now i can still *receive emails (Via Postfix) but when it comes to connecting to the server to retrieve said emails (Cyrus-IMAP) that's where the issue is. And now matter how HARD i try, i seem to come full circle with that error
Tried all the permissions combo's i've been able to research (Forums/Sites/ClearOS Portal), but the cyrus=imap daemon has officially thrown it's toys out of the cot
I'm running out of ideas guys. Any hints?
May 3 16:12:52 gateway imaps[28003]: TLS server engine: cannot load cert/key data
May 3 16:12:52 gateway imaps[28003]: error initializing TLS
May 3 16:12:52 gateway imaps[28003]: Fatal error: tls_init() failed
This is after trying to follow the guide from:
https://documentation.clearos.com/content:en_us:kb_howtos_using_letsencrypt_certificates_for_mail
Which i followed it, had email flowing nicely before, but just not using the Letsencrypt certificates. Which shouldn't be too hard right? There's a guide for it on their site, that should work
How wrong i was. Now i can still *receive emails (Via Postfix) but when it comes to connecting to the server to retrieve said emails (Cyrus-IMAP) that's where the issue is. And now matter how HARD i try, i seem to come full circle with that error
Tried all the permissions combo's i've been able to research (Forums/Sites/ClearOS Portal), but the cyrus=imap daemon has officially thrown it's toys out of the cot
I'm running out of ideas guys. Any hints?
Share this post:
Responses (10)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
It might seem strange, but I've found a potential issue with why this error occurs in the certificates
I've gotten the exact same issue. Drove me NUTS. Couldn't find a workaround.
Till I managed to locate this particular bugtracker post:
https://tracker.clearos.com/view.php?id=2301
As I was getting NO Luck getting the LE Certificates to work, I figured I'd try something else.
Went back to the default cyrus-imap.pem certificates, BAM, IMAP Server wakes up and emails flow again
Try going *back* to the letsencrypt certificates, made sure to reset ALL the permissions for both the LE Certificates & the cyrus-imap one to root:mail & 640 permissions
Try again
No bueno. Still No dice.
So what on earth is it inside those certificates that's causing this? I've got a hunch but it's missing data inside the pem files, and here's why:
privkey.pem
----------------------------------
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDheOB3I57kADq8
RUvDVQb0Xajafx9tOhqAjFFDH2GpiHuFDx5SXG9UG6pF4G6mKIMn6wubCetS99Ho
wb8XWfAlHzI5Qr4aaYSfjU0EfenRDYViWoD27WjHgZY0SVwntyD8e9izyhAM9ufI
4XZdH8uTFE7HYrbWbet+188M0VrBXt0wbYtK0GLxGdaTmuenLnNZUym8o3eQpuk+
mhV9xdj7q9ktU/9cyrPqVdel4mOHVaMRQUoqbfS/SFYSi+K6Ct8cdjy9zGZD8NMe
2nHobzL/y4dOZjfvZheD3f787t3Xpy8bjgPPqhNiiMBQxajaSnUHl172wLMtN2Vt
NEfrGnj3AgMBAAECggEAIB6QG2i/octGkrtsZ48dRoJxI28oku7MB7P1f5Jg3z3K
GtJkh2cTlO+7+ehW2uS6il05cgSfuVoEVRwElNcDFsay6OVRH4IYmoIOjq1BOb6r
Wa9637JCUulq9FffAOldkZoy7KnET5R8wGkd63Y0Eee6sTymvzU5bwBfRnwsaY9N
g985kXuHBuNGiVGOI0EscbqIQ3cuPNwz7T7oAxOmyu3Ysjddn5S7hP6vlPLYjmMS
hfip49twI4OAeLtp7++QX+oI8BTkNLLn1c9V5X+LStVKbbRolibQIFqED9kCCSHz
IqIOV8RAgE1NHbbIMN7uY8EjnAwUpZXqCrYf5SZIQQKBgQD5SyaeLYiY4Q8D0n2M
13g0mbb0AqwoZDTENioSmFHKK8djfO2NuT9ljYzEKE1xJZh4to6huLDeVR/FojLx
Z1FZKA5TSENPgRwJ/I/lbQMMWFL0U5KvBa5Cj9F1RKeZV8Dl4aLQDUWd+eg0xb+y
YQ30RN0pOfFF5SNY5siD6kidwwKBgQDniavnnF93g83pAPKX4fAqfLtOIYWhi11I
h8+649E8ss8U8m13z1pNcAd4TJi+k9/M4DROmYRhr5j9WPz0hZOQf6MeDITNqyn+
o71lFUSkuXFo/68qvBtAdyhGv5kKFu7xktbGPuvMz5HrGpnfcx5AMYUkC8pcyI53
HqgFEKoAvQKBgQDBmPIJnxTYnNb7QekMinyoZMNm5fhqeb9crS+pNy81USBMC8Wz
7SvlorKx1xalCuxIuoUz5Gk+kF7XLWpgfLr5ARl25cSYJozu2HurUSgv2xu48HoW
f9Pfjy674jBB7ps4Ky00Y0owL9Z7vSJs1eBvVVdnX78WZ6c2sCsB/tyb3wKBgBga
BqD3cCCawcZtaNNSm5NwpHa/mo90WGOCb6c+q7sryc6eZbLBDN9euAhXwNalwfgr
poZACL26b6x/pOU3OmMiRjKMjw5xsM9m8AIjsp+LBjkt1GgYaKXPQYwLybx5IqpW
5LCCQD1zpfbZMAdIjm+UOA3GhGwgHGRd9pOAZpHpAoGANphluHioJEMf/vztFQMk
65ThHHCfBlqr8GBM6rKWpsz9fxbPf+9mwQa0FAhjwPT3Rnow+4N7PTml863NBsuf
3dGcBWpXQt74WOoko30nsasku/QtfiV+wBjvpO4wrcQTM5vTm6+0FKd3orpBnSLE
o5CawpzA40It8Qd9VkjSwbM=
-----END PRIVATE KEY-----
---------------------------------------
cyrus-imapd.pem
---------------------------------------
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1aKdxyOAMeOWN
p1r5Wr+3SNom1e215T/DcCEgXTzm98XRpCsEK6yhhdf7WsytnODQLlbZIG0Uza2o
bnk5y1Q6uk8kfsiZuoBIgNTirnVAdRbwnF8dyytD2r8cJ2in05ScHkU2y90mvf/s
z6YC48N7akYrujlfeY78zTGM1W+4Oy3saHm8ICbEOIXy2ziNO0cjeG+jhiuE8abv
XJX/xQ5+V1fRb6pwP1WkDH+G7EJZ6+WW94R5LHR0KZR1sfM2wB/cAQXS55RqpYVj
ChHA+CLtggdwqAcbw5s/tB5RbMZNLHGYNNXYPg0+ddqXMU8Y+gCf5rHYNPG+Rw99
AgKU8yFVAgMBAAECggEAdveqEAnfPO6wBETDeZHU9rsVLbDQEqDEP0QyxUnAHexR
09koyLRnownmiZWTcyvVl1E8bWpBfwofn7zLTWaV12nFazamEYLojCPI+NvWUy42
nBbAngZWWkqDWFBT5vPvmq6TT4tEfhrOUpwez/hUg4Q/fn/DDmTmq81ZeHWkrZkv
E3HT+R86xao8z+neXv62MF5zZ8baYQ/+dxuoXBiNssER7vZV6M9/8G+zTOQHm6E3
F0eat+QzgwdpqmhS7kBEYbtwYWmE9cNqacWfMhn2RlLLBk43tt9MKI5DXUZO8H6u
IFrzy1B/hjQS/zOutXwZtR73bIaFW5aN7hyULUcQpQKBgQDdcuxmNEmYjEs21dmh
XIf8YtQPOfSPKJohH3t0y3Jh2JzAymaBNuN33GzDd8mxrGeExZW9fzOvv6QrQ8yM
2yV93j/OKAOPtjB/OomJeBBKN8xrjHQQMVovrYTBXmqnEJAhpdR8UE6Ymk4rnix1
E2xub1hXKThKJre6iQTH0zDUZwKBgQDRtnR2Jqb+jQCNIukxBV34slrXHDAMzltl
rTlvvCi7DdeU45Hd+FYdKwtZtB0ESyLnRlBUutQWI8BYZ6cTdxXusRdN+aKGi/aa
u8SRB8oUhbHJ8JKu2snAuX0f09QYfUUBdALMM7RHn+L8tsee03X6A6omRTCSQWzJ
oQT9LjSm4wKBgQC9rf1tAaZ0Qt795iiWPVLBTMmFDUg8AzQZ4QR3IvgjdU23GOa6
ERC/jw+eUhFx3VGB+VfsS3MzO3xcDqO7ls5DRMX0SHPcedqKb9J07GFPoQG4sUKM
yCkOo5sNoljKJra+C3O403Su46THWaGM2olLApZxef4cDZPb9BcjLfMqSwKBgDn8
Uh1tOJV/1Vww//t++WnPnxCFib+wu1LU3+HGTBjUjfxsJCQVC3KLOVs3UyKhx+fc
6E9VTVlFz2RiXK8kKVtTehckZE0BnFFSg9p6JeUgxnUI4PYaJtj0MOXBA4817AOn
2TIvRbTcP74SqAWBgMh9hOmKDhESqArkS+XZhdNzAoGASSlmUGGG+RziKOHRAquW
fivUnWhpjAZ9BPj3Oyjs1zcmkIVnhpww+2mj6eMrLA6JL4M+s+yWlGjrLH4Vb6qh
KPG8kb9TQmqcCkbBj8xh8EA7VDmXWpsP3IyHB1mxyBxwrc0WVRRH9pRitCNfa1CZ
HdJUFEg5HRxknzfPMVON9Ok=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIESzCCAzOgAwIBAgIJAOVK1pWsVvgCMA0GCSqGSIb3DQEBCwUAMIG7MQswCQYD
VQQGEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZ
MBcGA1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXph
dGlvbmFsVW5pdDEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkwJwYJ
KoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0yMDA1MDIw
ODIzNDVaFw0yMTA1MDIwODIzNDVaMIG7MQswCQYDVQQGEwItLTESMBAGA1UECAwJ
U29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZMBcGA1UECgwQU29tZU9yZ2Fu
aXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEeMBwGA1UE
AwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkwJwYJKoZIhvcNAQkBFhpyb290QGxv
Y2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALVop3HI4Ax45Y2nWvlav7dI2ibV7bXlP8NwISBdPOb3xdGkKwQrrKGF1/ta
zK2c4NAuVtkgbRTNrahueTnLVDq6TyR+yJm6gEiA1OKudUB1FvCcXx3LK0Pavxwn
aKfTlJweRTbL3Sa9/+zPpgLjw3tqRiu6OV95jvzNMYzVb7g7LexoebwgJsQ4hfLb
OI07RyN4b6OGK4Txpu9clf/FDn5XV9FvqnA/VaQMf4bsQlnr5Zb3hHksdHQplHWx
8zbAH9wBBdLnlGqlhWMKEcD4Iu2CB3CoBxvDmz+0HlFsxk0scZg01dg+DT512pcx
Txj6AJ/msdg08b5HD30CApTzIVUCAwEAAaNQME4wHQYDVR0OBBYEFL6QWqoBynzg
M6yA1qF0yZg8sxcqMB8GA1UdIwQYMBaAFL6QWqoBynzgM6yA1qF0yZg8sxcqMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHX6NIDGfxGtw6RrdCerZXQx
I4DKA9rBLInZdhbkN9LDAD6q7+3j/mpgpArY6wAQKbV09hUcdab1DDvO/r0LE4DB
NDFwQ9MnaATrV6BnPzLw6Uy03rMi2w+/Uz1fy9zpDX1KeQZqH/mUSwGnrtRM+u16
gX9JnQD+LivGPGT00SFHFgrINaAckgqcY/2RvQhexNr6+Poexed7unOdwjadxrqI
Br0zsX3jlF5OCyUaWf9xrc8+2vbYeBG69RLubSn0l+OACwK1Lou5pWoq6MXK121V
8EGv12Ka1AHhoeiqfzoUyc/YRQZBXFTouIbWmrtjlss/ORLDoEGe6Dkz7SrUwxg=
-----END CERTIFICATE-----
**PS: I'm not using the above certificates atm so i'm not bothered**
When Cyrus is set to grab it's TLS Data it needs from privkey, it's not seeing the data it seems to need to function, hence causing the error i've been experiencing with unable to retrieve data
You change the certificate it uses to the cyrus-imapd, and restart both postfix & cyrus. BAM, IMAP Server works.
Swap back to the LE generated ones, it nosedives again.
Now since following the bugtracker post and using the inbuilt ones generated by the server, Cyrus has *ZERO* issues with the certificate & it's structure, accepted it and emails flow again
Until such time as Letsencrypt either fix their certificates OR cyrus-imap is updated to allow these certificates to be used, I would *NOT* recommend anyone try to use the LE Certificates with Cyrus, it's just too much headache -
Accepted Answer
Nick Howitt wrote:
My certificate renewed itself on the 1st and I use it for Cyrus so I suspect a set up issue somewhere. What do you get from:id cyrus
grep ^tls /etc/imapd.conf
ls -ltr /etc/letsencrypt/archive/nutterpc.com | tail -n 4
[root@gateway postfix]# id cyrus
uid=76(cyrus) gid=12(mail) groups=12(mail),76(saslauth),993(ssl-cert)
[root@gateway postfix]# grep ^tls /etc/imapd.conf
tls_cipher_list: kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
tls_prefer_server_ciphers: 1
tls_versions: tls1_0 tls1_1 tls1_2
tls_cert_file: /etc/pki/cyrus-imapd/sys-0-cert.pem
tls_key_file: /etc/pki/cyrus-imapd/sys-0-key.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
[root@gateway postfix]# ls -ltr /etc/letsencrypt/archive/nutterpc.com | tail -n 4
-rw-r----- 1 root mail 1704 May 2 18:14 privkey1.pem
-rw-r----- 1 root mail 1647 May 2 18:14 chain1.pem
-rw-r----- 1 root mail 1980 May 2 18:14 cert1.pem
-rw-r----- 1 root mail 3627 May 2 18:14 fullchain1.pem
I'm kind of reluctant to go back to trying again with the LE certificates yet, because of the headache i went through tracking down WHY it stopped working -
Accepted Answer
So you've undone your setup in imapd.conf So I don't know if you had anything wrong there.
Your Let's Encrypt permissions are wrong. The key should be root:ssl-cert 0640 and the rest should be root:root 0644.
Also check you set the permissions correctly on /etc/letsencrypt/live and /etc/letsencrypt/archive.
Did you by any chance miss the basic/common set up of the certificates at the top of the Howto. -
Accepted Answer
Nick Howitt wrote:
So you've undone your setup in imapd.conf So I don't know if you had anything wrong there.
Your Let's Encrypt permissions are wrong. The key should be root:ssl-cert 0640 and the rest should be root:root 0644.
Also check you set the permissions correctly on /etc/letsencrypt/live and /etc/letsencrypt/archive.
Did you by any chance miss the basic/common set up of the certificates at the top of the Howto.
I followed the guide initially, to the letter. It didn't work for me -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
Well, until you go back to how it was meant to be set up it will be hard to troubleshoot. It looks like you've done a number of changes from how it was supposed to be set up.
Yeah i did spend quite a few hours on that exact config you listed on the howto. Went through and checked all the permissions to make sure they were as accurate as i could get.
Spent 2 days and it was driving me nuts lol. If i was to reset it all back to default again, install from scratch, then i could try it again. But atm i'm reluctant to. Maybe if i log an official ticket and get remote help -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
Gold support generally only covers features available from the Webconfig. Platinum can cover tweaking parameters not available from the webconfig. It may be stretching Platinum to implement Let's Encrypt for e-mail as it is definitely a custom solution.
Yeah it's particularly odd, followed the directions you'd put on that wiki, to the letter. Then kept getting that error mentioned on the OP. Couldn't work out why. Made sure i looked through the documentation again, and again.
Nope, it just wouldn't work. Emails were being received by Postfix but not delivered (by cyrus-imap). Restored the initial certificates it uses, cyrus immediately delivers the emails to my inbox.
So went back and started looking at the permissions again. Nope, it all matches what was listed. So i had to find a way to resolve it. I didn't particularly want to use the default certificates it installs
So that's when i came across the bugtracker post, it gave me something to try. And to my surprise, it worked PERFECTLY. So that's when i decided to leave it for now.
When you've spent 2 days trying to get the new server you've just installed running & the backups you'd kept restored, for the backups restoration to continuously fail (I saw your post about the bandwidth engine bug, guess what i was affected by :/)
So in order for me to get the server operational, i had to restore the configs from the backups, line by line.
Yeah, so there's the kind of backstory. I'm ok with the certificate issue thing atm, I can work with that, and even send out the files for authentication via a 3rd party. But my main issue is the emails from the old configuration that i'm trying to restore, they're sitting there on my workstation, as i made sure to do it before i started.
So that's where i'm likely going to log an official ticket soon, get some remote help with the emails restoration. I know it's gunna cost me, I've even explained it to the family & friends that were using my email server
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »