imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate ee key too mall
Solution 1
I needed to add the following to my /etc/dovecot/conf.d/10-ssl.conf
file:
ssl_dh = </usr/share/dovecot/dh.pem
The dh.pem
file did already exist in my case, but YMMV.
Solution 2
None of these solutions worked for me, as the /usr/share/dovecot/dh.pem
already existed and was the required 4096 bit.
Turns out the solution was as simple as deleting the /var/lib/dovecot/ssl-parameters.dat
file, then restarting dovecot
using:
sudo systemctl restart dovecot
Solution 3
The answer to this is that your dh.pem
file does not have enough bits.
Ubuntu provides one in /etc/dovecot
and /usr/share/dovecot
. The later of the two directories has one of enough bits (4096).
I think (not tested for now) that you can also generate your own dh.pem
file with the following command:
openssl dhparam -out dh.pem 4096
Then simply add the line:
ssl_dh=</your/dir/here/dh.pem
To /etc/dovecot/conf.d/10-ssl.conf
(including the <
character before the /
)
Andrew DeFaria
Updated on September 18, 2022Comments
-
Andrew DeFaria over 1 year
Upgraded my server to 20.04. Now I can't get IMAP working through dovecot. I get:
Aug 1 23:25:53 defaria dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small: user=<>, rip=184.182.63.133, lip=208.113.131.137, session=<iKgXGN+rCIC4tj+F>
I found many solutions to this problem but none seem to work. I've generated and re-generated server keys, signing certificates, and the like and configured dovecot to look at them yet all I get is this cryptic error message. I had this all configured nicely before and just updating from 18.04 -> 20.04 broke this.
How can I fix this? Step by step... How to I supposed generate a cert and a key and properly configure them into dovecot so that imap works again?
Funny thing is I can drive a session through telnet to imap and I can log in an access messages. But when I try to do the same with my mail client (thunderbird) I get the above error written to
/var/log/mail.log
-
Andrew DeFaria almost 4 yearsNone of that seems to work. The first one seems to be about sending mail using python. That's not what I'm doing. The second one doesn't change the error message. I set ssl_cipher_list as you instructed, same error. Note in 10-ssl.conf they set ssl_key to </etc/dovecot/private/dovecot.key. That file doesn't exist. There is an /etc/ssl/private/dovecot.key but that doesn't change the error. Note I can use telnet to talk to and log into my IMAP server. No problems. I can fetch email in my INBOX. And I can locally deliver myself email. But when I get new email with TB it errs.
-
Mark almost 4 yearsstackoverflow.com/questions/14959461/… worth running through this to give you a better idea of error messages to ascertain what exactly is going wrong
-
Andrew DeFaria almost 4 yearsBut nothing is going wrong when I connect to my IMAP server using either telnet or openssl from the terminal. From thunderbird, however, I do not get any new messages and I see that error message in both mail.err and mail.log. I think my problem may be more about doc.dovecot.org/admin_manual/submission_server
-
Eddi over 2 yearsThe manual also states to delete ssl-parameters.dat since it is a leftover from previous version ssl_dh is not needed anymore in newer versions doc.dovecot.org/configuration_manual/quick_configuration/…
-
Sander Steffann about 2 yearsThanks for pointing this out! Also for the link to the docs Eddi!