View Issue Details

IDProjectCategoryView StatusLast Update
0017341CentOS-8dovecotpublic2020-06-25 18:53
Status newResolutionopen 
Product Version8.1.1911 
Target VersionFixed in Version 
Summary0017341: dovecot missing dh.pem for ssl communication
DescriptionWhen updating dovecot, my ssl configuration stopped working because ssl_dh parameter was missing in /etc/dovecot/conf.d/10-ssl.conf.
I had to generate dh.pem and add it to 10-ssl.conf myself.
Steps To ReproduceDovecot with ssl enabled.
Upgrade from dovecot.x86_64 1:2.2.36-10.el8 to dovecot.x86_64 1:2.3.8-2.el8
SSL no longer works with the following message:
config: Warning: please set ssl_dh=</etc/dovecot/dh.pem
config: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small
TagsNo tags attached.




2020-06-17 11:05

reporter   ~0037138

Update has broken Dovecot config, it's possibile you dont have dh.pem and only fullchain.pem / privkey.pem (Let's Encrypt)
Problem seen in CentOS 8

-- FIX --

[dovecot]# openssl dhparam -out /etc/dovecot/dh.pem 4096 -days 3650
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time.........

-- CONFIG --

sudo nano /etc/dovecot/conf.d/10-ssl.conf

------------------------------------ EXAMPLE -----------------------------------

ssl = yes
ssl = required

ssl_cert = </etc/letsencrypt/live/
ssl_key = </etc/letsencrypt/live/
ssl_dh = </etc/dovecot/dh.pem

------------------------------------ EXAMPLE -----------------------------------

Remember to restart dovecot:
# systemctl restart dovecot

Issue History

Date Modified Username Field Change
2020-05-07 09:43 bvermeul New Issue
2020-06-17 11:05 matteo_luigi Note Added: 0037138