Ubuntu Server Guide

Dovecot no longer creates dovecot.pem file

Bug #1657939 reported by Bob Diego on 2017-01-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu Server Guide	Fix Released	Undecided	Unassigned

Bug Description

Dovecot does not generate the dovecot.pem files as referenced in the Ubuntu guide:

ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem

At least it didn't when I installed it with Ubuntu 16.04 as of Jan 19, 2017. I found references in other forums to this change, but can't find those links just now, or reference on the Dovecot site.

Nonetheless, these files can be generated manually using the following command:

sudo openssl req -new -x509 -days 1000 -nodes -out "/etc/dovecot/dovecot.pem" -keyout "/etc/dovecot/private/dovecot.pem"

This command was based on the tip from this site:
https://paulschreiber.com/blog/2008/08/01/how-to-create-a-self-signed-ssl-certificate-for-dovecot-on-debian/

If someone could verify and update the docs, that would be helpful - this took me quite some time to workaround, and this command fixes the deficiency....

Revision history for this message

Gunnar Hjalmarsson (gunnarhj) wrote on 2017-01-20:

I just looked at <https://help.ubuntu.com/lts/serverguide/dovecot-server.html>, but can't see that it claims that Dovecot creates the certificates. Rather it provides the "Certificates" link to a page where certificate creation is explained.

What did I miss?

Changed in serverguide:
status:	New → Incomplete

Revision history for this message

Bob Diego (bobdiego) wrote on 2017-01-20:

Gunnar, it references the Ubuntu guide for creating self-signed certificates:

https://help.ubuntu.com/lts/serverguide/certificates-and-security.html

which itself generates pem certificates in steps 4 and 5:

> 4. Next, create the self-signed root certificate:
>
> openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
> You will then be asked to enter the details about the certificate.
>
> 5. Now install the root certificate and key:
>
> sudo mv cakey.pem /etc/ssl/private/
> sudo mv cacert.pem /etc/ssl/certs/

Following this guide, you will end up with certificates with different names than the Dovecot configuration references, and when I renamed and moved them, they didn't seem to work.

Maybe the deficiency is more aptly described as Dovecot's, since their site still states it creates these certificates on install, and it does not.

But either way, following the Ubuntu guide in these two pages one will not arrive at a properly configured SASL configuration, so changing the guide to include the suggested command, or otherwise noting the issue, would better help people following along and getting frustrated.

Revision history for this message

Gunnar Hjalmarsson (gunnarhj) wrote on 2017-01-20:

Ok, thanks for your clarifications.

Possibly there is a difference between 14.04 and 16.04, because on my 14.04 server they seem to have been created. I don't use them, though, but created my own with other names, and when having done so, I apparently had to modify the paths in /etc/dovecot/conf.d/10-ssl.conf.

Leaving this bug report to the server guide team to consider further.

Changed in serverguide:
status:	Incomplete → New

Revision history for this message

Bryce Harrington (bryce) wrote on 2020-04-04:

I've added the suggested command as an example, and copyedited a bit to clarify use of default vs. custom certificates.

https://discourse.ubuntu.com/t/mail-dovecot/11880

Closing as fixed for the focal version of the docs.

Changed in serverguide:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.