Securing imap with Letsencrypt

Milan Petrovic petrovic.milan at gmail.com
Wed Aug 1 12:22:28 CEST 2018


That DID the trick!!

Lasse, THANKS A LOT!

Haven't slept almost two days, desperately trying to fix this.

You have no idea how you made me happy now!

Man! I would have never tried this myself... Thanks A LOT!
On Wed, Aug 1, 2018 at 12:17 PM Lasse Wiedemann <lasse at wiedemann-sh.de> wrote:
>
> it is the permission of the folder /etc/letsencrypt/archive/, so try
>
> sudo chmod 755 /etc/letsencrypt/archive/
>
>
> On 01.08.2018 12:05, Milan Petrovic wrote:
> > Nope, won't do the trick...
> >
> > $ sudo ls -la /etc/letsencrypt/archive
> > total 16
> > drwxr-x--- 4 root root     4096 Feb 13  2017 .
> > drwxr-xr-x 9 root root     4096 Jun  4 18:42 ..
> > drwxr-xr-x 2 root ssl-cert 4096 May 28 16:51 my_domain
> > drwxr-xr-x 2 root root     4096 May 28 16:51 my_other_domain
> > $ sudo chmod 755 /etc/letsencrypt/archive/my_domain/
> > $ sudo ls -la /etc/letsencrypt/archive
> > total 16
> > drwxr-x--- 4 root root     4096 Feb 13  2017 .
> > drwxr-xr-x 9 root root     4096 Jun  4 18:42 ..
> > drwxr-xr-x 2 root ssl-cert 4096 May 28 16:51 my_domain
> > drwxr-xr-x 2 root root     4096 May 28 16:51 my_other_domain
> > $ sudo -u cyrus cat /etc/letsencrypt/archive/my_domain/cert6.pem
> > cat: /etc/letsencrypt/archive/my_domain/cert6.pem: Permission denied
> > $
> > On Wed, Aug 1, 2018 at 12:01 PM Lasse Wiedemann <lasse at wiedemann-sh.de> wrote:
> >>
> >> Hej,
> >>
> >> maybe the problem are the permissions of /etc/letsencrypt/archive there
> >> only root has the right to read
> >> (> drwxr-x--- 4 root root     4096 Feb 13  2017 ..)
> >>
> >> I changed it to 755.
> >>
> >> Lasse
> >>
> >>
> >> On 01.08.2018 11:39, Milan Petrovic wrote:
> >>> Seems like the access rights are the ones making the problem....
> >>>
> >>> I have pointed the certs in the ../archive/ folder as I've read
> >>> somewhere they have to have 640 access rights. The certs in /live/ are
> >>> publicly available.
> >>>
> >>> The issue seems to be that 'cyrus' user cannot read the certs in any
> >>> folder. When I do "sudo -u cyrus cat ..." I get the 'permission
> >>> denied' error even after adding the cyrus user to ssl-cert group or
> >>> even after I put the cyrus user and root group are owning the cert
> >>> file.
> >>>
> >>> $ sudo ls -la /etc/letsencrypt/archive/my_domain/
> >>> total 104
> >>> drwxr-xr-x 2 root root     4096 May 28 16:51 .
> >>> drwxr-x--- 4 root root     4096 Feb 13  2017 ..
> >>> -rw-r--r-- 1 root root     1830 Feb 13  2017 cert1.pem
> >>> -rw-r--r-- 1 root root     1830 Jun  5  2017 cert2.pem
> >>> -rw-r--r-- 1 root root     1830 Sep 13  2017 cert3.pem
> >>> -rw-r--r-- 1 root root     1830 Dec 19  2017 cert4.pem
> >>> -rw-r--r-- 1 root root     1830 Feb 27 15:12 cert5.pem
> >>> -rw-r----- 1 root ssl-cert 2187 May 28 16:51 cert6.pem
> >>> -rw-r--r-- 1 root root     1647 Feb 13  2017 chain1.pem
> >>> -rw-r--r-- 1 root root     1647 Jun  5  2017 chain2.pem
> >>> -rw-r--r-- 1 root root     1647 Sep 13  2017 chain3.pem
> >>> -rw-r--r-- 1 root root     1647 Dec 19  2017 chain4.pem
> >>> -rw-r--r-- 1 root root     1647 Feb 27 15:12 chain5.pem
> >>> -rw-r----- 1 root ssl-cert 1647 May 28 16:51 chain6.pem
> >>> -rw-r--r-- 1 root root     3477 Feb 13  2017 fullchain1.pem
> >>> -rw-r--r-- 1 root root     3477 Jun  5  2017 fullchain2.pem
> >>> -rw-r--r-- 1 root root     3477 Sep 13  2017 fullchain3.pem
> >>> -rw-r--r-- 1 root root     3477 Dec 19  2017 fullchain4.pem
> >>> -rw-r--r-- 1 root root     3477 Feb 27 15:12 fullchain5.pem
> >>> -rw-r----- 1 root ssl-cert 3834 May 28 16:51 fullchain6.pem
> >>> -rw-r--r-- 1 root root     1704 Feb 13  2017 privkey1.pem
> >>> -rw-r--r-- 1 root root     1704 Jun  5  2017 privkey2.pem
> >>> -rw-r--r-- 1 root root     1708 Sep 13  2017 privkey3.pem
> >>> -rw-r--r-- 1 root root     1708 Dec 19  2017 privkey4.pem
> >>> -rw-r--r-- 1 root root     1704 Feb 27 15:12 privkey5.pem
> >>> -rw-r----- 1 root ssl-cert 1708 May 28 16:51 privkey6.pem
> >>> $ groups cyrus
> >>> cyrus : mail sasl ssl-cert
> >>> $ sudo -u cyrus cat /etc/letsencrypt/archive/my_domain/cert6.pem
> >>> cat: /etc/letsencrypt/archive/my_domainm/cert6.pem: Permission denied
> >>> $
> >>>
> >>> The certs are valid, btw, recently renewed, maybe a month ago.
> >>> On Wed, Aug 1, 2018 at 11:05 AM <benjamin.boudoir at free.fr> wrote:
> >>>>
> >>>> Hi,
> >>>>
> >>>> Le 01/08/2018 09:18, Milan Petrovic a écrit :
> >>>>> Hi all,
> >>>>>
> >>>>> I'm running a multidomain Kolab setup on Ubuntu, with Nginx.
> >>>>> I'm trying to make cyrus-imap to use the Letsencrypt certificates
> >>>>> without any success (the certs are working fine on the Nginx part,
> >>>>> also working fine for Active-sync connections).
> >>>>> The certificates are stored in /etc/letsencrypt/archive/my_domain/,
> >>>>> chmoded to 640, owned by root (I have tried to have them owned by a
> >>>>> group 'mail' or 'ssl-cert', nothing happens).
> >>>>> Whenever I point the "tls_client_ca_file", "tls_server_cert" and
> >>>>> "tls_server_key" of imapd.conf to letsencrypt certs, I get in the logs
> >>>>> the following:
> >>>>> Aug  1 02:10:50 collab imaps[28524]: unable to get certificate from
> >>>>> '/etc/letsencrypt/archive/my_domain/cert6.pem'
> >>>>> Aug  1 02:10:50 collab imaps[28524]: TLS server engine: cannot load
> >>>>> server cert/key data.
> >>>>> Aug  1 02:10:50 collab imaps[28524]: error initializing TLS
> >>>>> Aug  1 02:10:50 collab imaps[28524]: Fatal error: tls_init() failed
> >>>>
> >>>> I do it too.
> >>>>
> >>>> You used to have the following users in your group :
> >>>> - cyrus
> >>>> - postfix
> >>>>
> >>>> And have group rights at least to "read" (+r) on your certificates.
> >>>>
> >>>> Note that the folders sort of inherits the permissions from upper
> >>>> folders, they have to be readeable (+r) and crossable (+x) by your group
> >>>> too.
> >>>>
> >>>> You may debug it simply by switching as they (like: su - cyrus
> >>>> --shell=/bin/sh) and do some ls/cat to find what "breaks" the
> >>>> authorization.
> >>>>
> >>>>> At some point in the past I see I have commented out the ldap
> >>>>> configuration from the imapd.conf, not sure when and why (both the
> >>>>> base ldap configuration and the addition at the end for the
> >>>>> multidomain setup), but uncommenting it makes the login within
> >>>>> roundcube unsuccessful.
> >>>>
> >>>> Your users might be stored in cyrus instead of LDAP. In that case,
> >>>> that's normal you can't log by LDAP because all your setup might depend
> >>>> of IMAP authentication.
> >>>>
> >>>>> Please help.
> >>>>>
> >>>>> Thanks, Milan
> >>>>> _______________________________________________
> >>>>> users mailing list
> >>>>> users at lists.kolab.org
> >>>>> https://lists.kolab.org/mailman/listinfo/users
> >>> _______________________________________________
> >>> users mailing list
> >>> users at lists.kolab.org
> >>> https://lists.kolab.org/mailman/listinfo/users
> >>>
> > _______________________________________________
> > users mailing list
> > users at lists.kolab.org
> > https://lists.kolab.org/mailman/listinfo/users
> >


More information about the users mailing list