Bugzilla – Bug 6410
updating openssl breaks dovecot
Last modified: 2007-04-01 01:05:09 UTC
Dovecot, when using imap over ssl, breaks when openssl is updated. The dovecot error is: imap-login: Mar 21 22:50:11 Fatal: Can't load certificate file /etc/ssl/certs/imapd.pem: error:02001002:system library:fopen:No such file or directory dovecot: Mar 21 22:50:11 Error: Login process died too early - shutting down dovecot: Mar 21 22:50:11 Error: child 1177 (login) returned error 89 To fix this, you need to: rm /etc/ssl/private/imapd.pem dovecot-mkcert.sh I don't know if this is an openssl problem or a dovecot problem, but an openssl update shouldn't really break a running dovecot instance.
IMHO, it could be fine if you write info about this problem to sm-discuss list. I do not use dovecot and see we have not mail guru. :-((
a openssl problem ?
would recompiling dovecot have fixed it (did you try?)?
I didn't try because it wasn't necessary. The command I give there fixes it, however the problem is that unless you keep a very close eye on your logs, you don't know that it is broken - it doesn't die just when you next restart it, it dies the next time someone tries to connect to it, most likely a lot sooner.
Several things sometimes break with openssl/gettext/updates. One way to fix that is with TRIGGERS. And I believe someone is working on doing update triggers (for certain sized updates) so that packages aren't always recompiled. If recompiling fixes it, then we could just do a TRIGGER and the problem would automatically be fixed (though during the compilation of dovecot it would be broken); that was my point. However, a comment somewhere would be a good idea, but it's already past that point, isn't it? I mean, everyone's already upgraded the openssl, and I don't think many use dovecot, so any new users won't have this problem. Is there a good way to do this? Perhaps openssl needs extra flags? or dovecot? Hopefully someone on the list has a better idea than I. ;)
I also don't like the idea of recreating the certs, it may be possible that people have 'special' certificate files (I dunno, do people do that?) My suggestion would be to have /etc/ssl/certs/imapd.pem and /etc/ssl/private/imapd.pem auto-created if they don't exist when dovecot is installed, and something put in place so that they don't get touched by anything other than dovecot being uninstalled. I'm not sure that the problem has gone away, as it may happen whenever openssl is upgraded. I don't -think- recompiling dovecot will fix it, as I seem to recall that it doesn't auto-run the mkcert script.
When openssl updated I didn't have to touch my SSL certs that Apache2/IMAP use, so that's why I thought it was a dovecot bug. ;)
Hmm, OK. Do they use the same cert files?
Different cert files.
What's with this bug then FIXED,INVALID etc...?
resolve bug as invalid any protests ?
No longer affects me, as I now have dovecot and apache sharing a 'real' SSL cert.
closing fixed bugs
reassign to sm-grimoire-bugs