imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate ee key too mall

dovecot imap
9,815

Solution 1

I needed to add the following to my /etc/dovecot/conf.d/10-ssl.conf file:

ssl_dh = </usr/share/dovecot/dh.pem

The dh.pem file did already exist in my case, but YMMV.

Solution 2

None of these solutions worked for me, as the /usr/share/dovecot/dh.pem already existed and was the required 4096 bit.

Turns out the solution was as simple as deleting the /var/lib/dovecot/ssl-parameters.dat file, then restarting dovecot using:

sudo systemctl restart dovecot

Solution 3

The answer to this is that your dh.pem file does not have enough bits.

Ubuntu provides one in /etc/dovecot and /usr/share/dovecot. The later of the two directories has one of enough bits (4096).

I think (not tested for now) that you can also generate your own dh.pem file with the following command:

openssl dhparam -out dh.pem 4096

Then simply add the line:

ssl_dh=</your/dir/here/dh.pem

To /etc/dovecot/conf.d/10-ssl.conf (including the < character before the /)

Share:
9,815
Andrew DeFaria
Author by

Andrew DeFaria

Updated on September 18, 2022

Comments

  • Andrew DeFaria
    Andrew DeFaria over 1 year

    Upgraded my server to 20.04. Now I can't get IMAP working through dovecot. I get:

    Aug  1 23:25:53 defaria dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small: user=<>, rip=184.182.63.133, lip=208.113.131.137, session=<iKgXGN+rCIC4tj+F>

    I found many solutions to this problem but none seem to work. I've generated and re-generated server keys, signing certificates, and the like and configured dovecot to look at them yet all I get is this cryptic error message. I had this all configured nicely before and just updating from 18.04 -> 20.04 broke this.

    How can I fix this? Step by step... How to I supposed generate a cert and a key and properly configure them into dovecot so that imap works again?

    Funny thing is I can drive a session through telnet to imap and I can log in an access messages. But when I try to do the same with my mail client (thunderbird) I get the above error written to /var/log/mail.log

  • Andrew DeFaria
    Andrew DeFaria almost 4 years
    None of that seems to work. The first one seems to be about sending mail using python. That's not what I'm doing. The second one doesn't change the error message. I set ssl_cipher_list as you instructed, same error. Note in 10-ssl.conf they set ssl_key to </etc/dovecot/private/dovecot.key. That file doesn't exist. There is an /etc/ssl/private/dovecot.key but that doesn't change the error. Note I can use telnet to talk to and log into my IMAP server. No problems. I can fetch email in my INBOX. And I can locally deliver myself email. But when I get new email with TB it errs.
  • Mark
    Mark almost 4 years
    stackoverflow.com/questions/14959461/… worth running through this to give you a better idea of error messages to ascertain what exactly is going wrong
  • Andrew DeFaria
    Andrew DeFaria almost 4 years
    But nothing is going wrong when I connect to my IMAP server using either telnet or openssl from the terminal. From thunderbird, however, I do not get any new messages and I see that error message in both mail.err and mail.log. I think my problem may be more about doc.dovecot.org/admin_manual/submission_server
  • Eddi
    Eddi over 2 years
    The manual also states to delete ssl-parameters.dat since it is a leftover from previous version ssl_dh is not needed anymore in newer versions doc.dovecot.org/configuration_manual/quick_configuration/…
  • Sander Steffann
    Sander Steffann about 2 years
    Thanks for pointing this out! Also for the link to the docs Eddi!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Dovecot Install: "/usr/lib/dovecot/imap: No such file or directory"
Cannot connect to pop3 or imap with Dovecot
Cannot connect to pop3 or imap with Dovecot
Sub-folders in Dovecot?
Can Dovecot IMAP automatically create Maildir folders for new (virtual) users?
Why use both Dovecot and Postfix?
How to get Doveconf to reload its config or read from `/etc/dovecot/`?
How to I authenticate with Dovecot + IMAP + PAM on CentOS?
warning: hostname localhost does not resolve to address
Add new email user in Dovecot