Dovecot/Postfix Mail Server Won't Allow Login

devinmcelheran · 03-09-2014, 08:57 PM

This is the error I get in my log (/var/log/mail.log) every time I try to connect with a client. I've followed the certificate generation as per the tutorial here:

https://www.digitalocean.com/communi...r-with-dovecot

Everything seems to be working fine apart from being able to establish a connection due to the certificate issues. I don't have any experience dealing with certificates, can anyone help me?

Code:

Mar  9 21:09:29 atlas dovecot: imap-login: Fatal: Can't load private ssl_key: Key is for a different cert than ssl_cert
Mar  9 21:09:29 atlas dovecot: master: Error: service(imap-login): command startup failed, throttling for 60 secs

descendant_command · 03-10-2014, 02:03 PM

Quote:

Originally Posted by devinmcelheran

Code:

Key is for a different cert than ssl_cert

That seems fairly clear.

If you're sure you followed the instructions correctly, then try some different instructions.

devinmcelheran · 03-11-2014, 07:20 PM

These are the commands I used. The second points to the mail.key file. Does it look right?

Code:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/mail.key -out /etc/ssl/certs/mailcert.pem

sudo openssl req -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/mail.key -out mailcert.csr

Berhanie · 03-11-2014, 09:02 PM

both are right, but you need to choose one. the first generates a self-signed certificate (and a key). the second generates a certificate signing request (and a key).

if you ran both commands, then the key generated with the second command overwrote the first one.

if you're just experimenting, generate a self-signed certificate.

devinmcelheran · 03-12-2014, 05:35 PM

How would I go about generating a certificate or obtaining one from a CA and generating a key from that? In school we very loosely covered key and certificates, and even then it was all automated in Exchange.

Berhanie · 03-12-2014, 08:39 PM

the first command in your post #3 (above) generates a key and a self-signed certificate. the key is saved in /etc/ssl/private/mail.key, and the certificate in /etc/ssl/certs/mailcert.pem. that should be enough to test your services.

if you need a certificate signed by a reputable CA, you'd need to run the second command in that post, instead. that would generate a key and CSR. you'd then submit the CSR (not the key), along with a fee, to the CA for signing.

quick review: the "key" mentioned above is your private key, which you don't divulge to anyone. the "certificate" is your public key together with a "signature" from a CA attesting to your identity (i.e. attesting that the public key belongs to the you).

in the case of a self-signed certificate, you use your own private key to "sign" the certificate.