Securing imap with Letsencrypt

Milan Petrovic petrovic.milan at gmail.com
Wed Aug 1 11:39:15 CEST 2018 

Seems like the access rights are the ones making the problem....

I have pointed the certs in the ../archive/ folder as I've read
somewhere they have to have 640 access rights. The certs in /live/ are
publicly available.

The issue seems to be that 'cyrus' user cannot read the certs in any
folder. When I do "sudo -u cyrus cat ..." I get the 'permission
denied' error even after adding the cyrus user to ssl-cert group or
even after I put the cyrus user and root group are owning the cert
file.

$ sudo ls -la /etc/letsencrypt/archive/my_domain/
total 104
drwxr-xr-x 2 root root     4096 May 28 16:51 .
drwxr-x--- 4 root root     4096 Feb 13  2017 ..
-rw-r--r-- 1 root root     1830 Feb 13  2017 cert1.pem
-rw-r--r-- 1 root root     1830 Jun  5  2017 cert2.pem
-rw-r--r-- 1 root root     1830 Sep 13  2017 cert3.pem
-rw-r--r-- 1 root root     1830 Dec 19  2017 cert4.pem
-rw-r--r-- 1 root root     1830 Feb 27 15:12 cert5.pem
-rw-r----- 1 root ssl-cert 2187 May 28 16:51 cert6.pem
-rw-r--r-- 1 root root     1647 Feb 13  2017 chain1.pem
-rw-r--r-- 1 root root     1647 Jun  5  2017 chain2.pem
-rw-r--r-- 1 root root     1647 Sep 13  2017 chain3.pem
-rw-r--r-- 1 root root     1647 Dec 19  2017 chain4.pem
-rw-r--r-- 1 root root     1647 Feb 27 15:12 chain5.pem
-rw-r----- 1 root ssl-cert 1647 May 28 16:51 chain6.pem
-rw-r--r-- 1 root root     3477 Feb 13  2017 fullchain1.pem
-rw-r--r-- 1 root root     3477 Jun  5  2017 fullchain2.pem
-rw-r--r-- 1 root root     3477 Sep 13  2017 fullchain3.pem
-rw-r--r-- 1 root root     3477 Dec 19  2017 fullchain4.pem
-rw-r--r-- 1 root root     3477 Feb 27 15:12 fullchain5.pem
-rw-r----- 1 root ssl-cert 3834 May 28 16:51 fullchain6.pem
-rw-r--r-- 1 root root     1704 Feb 13  2017 privkey1.pem
-rw-r--r-- 1 root root     1704 Jun  5  2017 privkey2.pem
-rw-r--r-- 1 root root     1708 Sep 13  2017 privkey3.pem
-rw-r--r-- 1 root root     1708 Dec 19  2017 privkey4.pem
-rw-r--r-- 1 root root     1704 Feb 27 15:12 privkey5.pem
-rw-r----- 1 root ssl-cert 1708 May 28 16:51 privkey6.pem
$ groups cyrus
cyrus : mail sasl ssl-cert
$ sudo -u cyrus cat /etc/letsencrypt/archive/my_domain/cert6.pem
cat: /etc/letsencrypt/archive/my_domainm/cert6.pem: Permission denied
$

The certs are valid, btw, recently renewed, maybe a month ago.
On Wed, Aug 1, 2018 at 11:05 AM <benjamin.boudoir at free.fr> wrote:
>
> Hi,
>
> Le 01/08/2018 09:18, Milan Petrovic a écrit :
> > Hi all,
> >
> > I'm running a multidomain Kolab setup on Ubuntu, with Nginx.
> > I'm trying to make cyrus-imap to use the Letsencrypt certificates
> > without any success (the certs are working fine on the Nginx part,
> > also working fine for Active-sync connections).
> > The certificates are stored in /etc/letsencrypt/archive/my_domain/,
> > chmoded to 640, owned by root (I have tried to have them owned by a
> > group 'mail' or 'ssl-cert', nothing happens).
> > Whenever I point the "tls_client_ca_file", "tls_server_cert" and
> > "tls_server_key" of imapd.conf to letsencrypt certs, I get in the logs
> > the following:
> > Aug  1 02:10:50 collab imaps[28524]: unable to get certificate from
> > '/etc/letsencrypt/archive/my_domain/cert6.pem'
> > Aug  1 02:10:50 collab imaps[28524]: TLS server engine: cannot load
> > server cert/key data.
> > Aug  1 02:10:50 collab imaps[28524]: error initializing TLS
> > Aug  1 02:10:50 collab imaps[28524]: Fatal error: tls_init() failed
>
> I do it too.
>
> You used to have the following users in your group :
> - cyrus
> - postfix
>
> And have group rights at least to "read" (+r) on your certificates.
>
> Note that the folders sort of inherits the permissions from upper
> folders, they have to be readeable (+r) and crossable (+x) by your group
> too.
>
> You may debug it simply by switching as they (like: su - cyrus
> --shell=/bin/sh) and do some ls/cat to find what "breaks" the
> authorization.
>
> > At some point in the past I see I have commented out the ldap
> > configuration from the imapd.conf, not sure when and why (both the
> > base ldap configuration and the addition at the end for the
> > multidomain setup), but uncommenting it makes the login within
> > roundcube unsuccessful.
>
> Your users might be stored in cyrus instead of LDAP. In that case,
> that's normal you can't log by LDAP because all your setup might depend
> of IMAP authentication.
>
> > Please help.
> >
> > Thanks, Milan
> > _______________________________________________
> > users mailing list
> > users at lists.kolab.org
> > https://lists.kolab.org/mailman/listinfo/users

More information about the users mailing list