Securing imap with Letsencrypt
Milan Petrovic
petrovic.milan at gmail.com
Wed Aug 1 12:05:48 CEST 2018
Nope, won't do the trick...
$ sudo ls -la /etc/letsencrypt/archive
total 16
drwxr-x--- 4 root root 4096 Feb 13 2017 .
drwxr-xr-x 9 root root 4096 Jun 4 18:42 ..
drwxr-xr-x 2 root ssl-cert 4096 May 28 16:51 my_domain
drwxr-xr-x 2 root root 4096 May 28 16:51 my_other_domain
$ sudo chmod 755 /etc/letsencrypt/archive/my_domain/
$ sudo ls -la /etc/letsencrypt/archive
total 16
drwxr-x--- 4 root root 4096 Feb 13 2017 .
drwxr-xr-x 9 root root 4096 Jun 4 18:42 ..
drwxr-xr-x 2 root ssl-cert 4096 May 28 16:51 my_domain
drwxr-xr-x 2 root root 4096 May 28 16:51 my_other_domain
$ sudo -u cyrus cat /etc/letsencrypt/archive/my_domain/cert6.pem
cat: /etc/letsencrypt/archive/my_domain/cert6.pem: Permission denied
$
On Wed, Aug 1, 2018 at 12:01 PM Lasse Wiedemann <lasse at wiedemann-sh.de> wrote:
>
> Hej,
>
> maybe the problem are the permissions of /etc/letsencrypt/archive there
> only root has the right to read
> (> drwxr-x--- 4 root root 4096 Feb 13 2017 ..)
>
> I changed it to 755.
>
> Lasse
>
>
> On 01.08.2018 11:39, Milan Petrovic wrote:
> > Seems like the access rights are the ones making the problem....
> >
> > I have pointed the certs in the ../archive/ folder as I've read
> > somewhere they have to have 640 access rights. The certs in /live/ are
> > publicly available.
> >
> > The issue seems to be that 'cyrus' user cannot read the certs in any
> > folder. When I do "sudo -u cyrus cat ..." I get the 'permission
> > denied' error even after adding the cyrus user to ssl-cert group or
> > even after I put the cyrus user and root group are owning the cert
> > file.
> >
> > $ sudo ls -la /etc/letsencrypt/archive/my_domain/
> > total 104
> > drwxr-xr-x 2 root root 4096 May 28 16:51 .
> > drwxr-x--- 4 root root 4096 Feb 13 2017 ..
> > -rw-r--r-- 1 root root 1830 Feb 13 2017 cert1.pem
> > -rw-r--r-- 1 root root 1830 Jun 5 2017 cert2.pem
> > -rw-r--r-- 1 root root 1830 Sep 13 2017 cert3.pem
> > -rw-r--r-- 1 root root 1830 Dec 19 2017 cert4.pem
> > -rw-r--r-- 1 root root 1830 Feb 27 15:12 cert5.pem
> > -rw-r----- 1 root ssl-cert 2187 May 28 16:51 cert6.pem
> > -rw-r--r-- 1 root root 1647 Feb 13 2017 chain1.pem
> > -rw-r--r-- 1 root root 1647 Jun 5 2017 chain2.pem
> > -rw-r--r-- 1 root root 1647 Sep 13 2017 chain3.pem
> > -rw-r--r-- 1 root root 1647 Dec 19 2017 chain4.pem
> > -rw-r--r-- 1 root root 1647 Feb 27 15:12 chain5.pem
> > -rw-r----- 1 root ssl-cert 1647 May 28 16:51 chain6.pem
> > -rw-r--r-- 1 root root 3477 Feb 13 2017 fullchain1.pem
> > -rw-r--r-- 1 root root 3477 Jun 5 2017 fullchain2.pem
> > -rw-r--r-- 1 root root 3477 Sep 13 2017 fullchain3.pem
> > -rw-r--r-- 1 root root 3477 Dec 19 2017 fullchain4.pem
> > -rw-r--r-- 1 root root 3477 Feb 27 15:12 fullchain5.pem
> > -rw-r----- 1 root ssl-cert 3834 May 28 16:51 fullchain6.pem
> > -rw-r--r-- 1 root root 1704 Feb 13 2017 privkey1.pem
> > -rw-r--r-- 1 root root 1704 Jun 5 2017 privkey2.pem
> > -rw-r--r-- 1 root root 1708 Sep 13 2017 privkey3.pem
> > -rw-r--r-- 1 root root 1708 Dec 19 2017 privkey4.pem
> > -rw-r--r-- 1 root root 1704 Feb 27 15:12 privkey5.pem
> > -rw-r----- 1 root ssl-cert 1708 May 28 16:51 privkey6.pem
> > $ groups cyrus
> > cyrus : mail sasl ssl-cert
> > $ sudo -u cyrus cat /etc/letsencrypt/archive/my_domain/cert6.pem
> > cat: /etc/letsencrypt/archive/my_domainm/cert6.pem: Permission denied
> > $
> >
> > The certs are valid, btw, recently renewed, maybe a month ago.
> > On Wed, Aug 1, 2018 at 11:05 AM <benjamin.boudoir at free.fr> wrote:
> >>
> >> Hi,
> >>
> >> Le 01/08/2018 09:18, Milan Petrovic a écrit :
> >>> Hi all,
> >>>
> >>> I'm running a multidomain Kolab setup on Ubuntu, with Nginx.
> >>> I'm trying to make cyrus-imap to use the Letsencrypt certificates
> >>> without any success (the certs are working fine on the Nginx part,
> >>> also working fine for Active-sync connections).
> >>> The certificates are stored in /etc/letsencrypt/archive/my_domain/,
> >>> chmoded to 640, owned by root (I have tried to have them owned by a
> >>> group 'mail' or 'ssl-cert', nothing happens).
> >>> Whenever I point the "tls_client_ca_file", "tls_server_cert" and
> >>> "tls_server_key" of imapd.conf to letsencrypt certs, I get in the logs
> >>> the following:
> >>> Aug 1 02:10:50 collab imaps[28524]: unable to get certificate from
> >>> '/etc/letsencrypt/archive/my_domain/cert6.pem'
> >>> Aug 1 02:10:50 collab imaps[28524]: TLS server engine: cannot load
> >>> server cert/key data.
> >>> Aug 1 02:10:50 collab imaps[28524]: error initializing TLS
> >>> Aug 1 02:10:50 collab imaps[28524]: Fatal error: tls_init() failed
> >>
> >> I do it too.
> >>
> >> You used to have the following users in your group :
> >> - cyrus
> >> - postfix
> >>
> >> And have group rights at least to "read" (+r) on your certificates.
> >>
> >> Note that the folders sort of inherits the permissions from upper
> >> folders, they have to be readeable (+r) and crossable (+x) by your group
> >> too.
> >>
> >> You may debug it simply by switching as they (like: su - cyrus
> >> --shell=/bin/sh) and do some ls/cat to find what "breaks" the
> >> authorization.
> >>
> >>> At some point in the past I see I have commented out the ldap
> >>> configuration from the imapd.conf, not sure when and why (both the
> >>> base ldap configuration and the addition at the end for the
> >>> multidomain setup), but uncommenting it makes the login within
> >>> roundcube unsuccessful.
> >>
> >> Your users might be stored in cyrus instead of LDAP. In that case,
> >> that's normal you can't log by LDAP because all your setup might depend
> >> of IMAP authentication.
> >>
> >>> Please help.
> >>>
> >>> Thanks, Milan
> >>> _______________________________________________
> >>> users mailing list
> >>> users at lists.kolab.org
> >>> https://lists.kolab.org/mailman/listinfo/users
> > _______________________________________________
> > users mailing list
> > users at lists.kolab.org
> > https://lists.kolab.org/mailman/listinfo/users
> >
More information about the users
mailing list