Securing imap with Letsencrypt

Lasse Wiedemann lasse at wiedemann-sh.de
Wed Aug 1 12:01:03 CEST 2018


Hej,

maybe the problem are the permissions of /etc/letsencrypt/archive there
only root has the right to read
(> drwxr-x--- 4 root root     4096 Feb 13  2017 ..)

I changed it to 755.

Lasse


On 01.08.2018 11:39, Milan Petrovic wrote:
> Seems like the access rights are the ones making the problem....
> 
> I have pointed the certs in the ../archive/ folder as I've read
> somewhere they have to have 640 access rights. The certs in /live/ are
> publicly available.
> 
> The issue seems to be that 'cyrus' user cannot read the certs in any
> folder. When I do "sudo -u cyrus cat ..." I get the 'permission
> denied' error even after adding the cyrus user to ssl-cert group or
> even after I put the cyrus user and root group are owning the cert
> file.
> 
> $ sudo ls -la /etc/letsencrypt/archive/my_domain/
> total 104
> drwxr-xr-x 2 root root     4096 May 28 16:51 .
> drwxr-x--- 4 root root     4096 Feb 13  2017 ..
> -rw-r--r-- 1 root root     1830 Feb 13  2017 cert1.pem
> -rw-r--r-- 1 root root     1830 Jun  5  2017 cert2.pem
> -rw-r--r-- 1 root root     1830 Sep 13  2017 cert3.pem
> -rw-r--r-- 1 root root     1830 Dec 19  2017 cert4.pem
> -rw-r--r-- 1 root root     1830 Feb 27 15:12 cert5.pem
> -rw-r----- 1 root ssl-cert 2187 May 28 16:51 cert6.pem
> -rw-r--r-- 1 root root     1647 Feb 13  2017 chain1.pem
> -rw-r--r-- 1 root root     1647 Jun  5  2017 chain2.pem
> -rw-r--r-- 1 root root     1647 Sep 13  2017 chain3.pem
> -rw-r--r-- 1 root root     1647 Dec 19  2017 chain4.pem
> -rw-r--r-- 1 root root     1647 Feb 27 15:12 chain5.pem
> -rw-r----- 1 root ssl-cert 1647 May 28 16:51 chain6.pem
> -rw-r--r-- 1 root root     3477 Feb 13  2017 fullchain1.pem
> -rw-r--r-- 1 root root     3477 Jun  5  2017 fullchain2.pem
> -rw-r--r-- 1 root root     3477 Sep 13  2017 fullchain3.pem
> -rw-r--r-- 1 root root     3477 Dec 19  2017 fullchain4.pem
> -rw-r--r-- 1 root root     3477 Feb 27 15:12 fullchain5.pem
> -rw-r----- 1 root ssl-cert 3834 May 28 16:51 fullchain6.pem
> -rw-r--r-- 1 root root     1704 Feb 13  2017 privkey1.pem
> -rw-r--r-- 1 root root     1704 Jun  5  2017 privkey2.pem
> -rw-r--r-- 1 root root     1708 Sep 13  2017 privkey3.pem
> -rw-r--r-- 1 root root     1708 Dec 19  2017 privkey4.pem
> -rw-r--r-- 1 root root     1704 Feb 27 15:12 privkey5.pem
> -rw-r----- 1 root ssl-cert 1708 May 28 16:51 privkey6.pem
> $ groups cyrus
> cyrus : mail sasl ssl-cert
> $ sudo -u cyrus cat /etc/letsencrypt/archive/my_domain/cert6.pem
> cat: /etc/letsencrypt/archive/my_domainm/cert6.pem: Permission denied
> $
> 
> The certs are valid, btw, recently renewed, maybe a month ago.
> On Wed, Aug 1, 2018 at 11:05 AM <benjamin.boudoir at free.fr> wrote:
>>
>> Hi,
>>
>> Le 01/08/2018 09:18, Milan Petrovic a écrit :
>>> Hi all,
>>>
>>> I'm running a multidomain Kolab setup on Ubuntu, with Nginx.
>>> I'm trying to make cyrus-imap to use the Letsencrypt certificates
>>> without any success (the certs are working fine on the Nginx part,
>>> also working fine for Active-sync connections).
>>> The certificates are stored in /etc/letsencrypt/archive/my_domain/,
>>> chmoded to 640, owned by root (I have tried to have them owned by a
>>> group 'mail' or 'ssl-cert', nothing happens).
>>> Whenever I point the "tls_client_ca_file", "tls_server_cert" and
>>> "tls_server_key" of imapd.conf to letsencrypt certs, I get in the logs
>>> the following:
>>> Aug  1 02:10:50 collab imaps[28524]: unable to get certificate from
>>> '/etc/letsencrypt/archive/my_domain/cert6.pem'
>>> Aug  1 02:10:50 collab imaps[28524]: TLS server engine: cannot load
>>> server cert/key data.
>>> Aug  1 02:10:50 collab imaps[28524]: error initializing TLS
>>> Aug  1 02:10:50 collab imaps[28524]: Fatal error: tls_init() failed
>>
>> I do it too.
>>
>> You used to have the following users in your group :
>> - cyrus
>> - postfix
>>
>> And have group rights at least to "read" (+r) on your certificates.
>>
>> Note that the folders sort of inherits the permissions from upper
>> folders, they have to be readeable (+r) and crossable (+x) by your group
>> too.
>>
>> You may debug it simply by switching as they (like: su - cyrus
>> --shell=/bin/sh) and do some ls/cat to find what "breaks" the
>> authorization.
>>
>>> At some point in the past I see I have commented out the ldap
>>> configuration from the imapd.conf, not sure when and why (both the
>>> base ldap configuration and the addition at the end for the
>>> multidomain setup), but uncommenting it makes the login within
>>> roundcube unsuccessful.
>>
>> Your users might be stored in cyrus instead of LDAP. In that case,
>> that's normal you can't log by LDAP because all your setup might depend
>> of IMAP authentication.
>>
>>> Please help.
>>>
>>> Thanks, Milan
>>> _______________________________________________
>>> users mailing list
>>> users at lists.kolab.org
>>> https://lists.kolab.org/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users
> 


More information about the users mailing list