Dovecot error: ssl enabled, but ssl_cert not set

Question

I've been trying to get Postfix and Dovecot set up for days and I think I have resolved all problems except for one that just came up. When I try to restart Dovecot I get the following error message:

doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: ssl enabled, but  
ssl_cert not set
[....] Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error in configuration 
file /etc/dovecot/dovecot.conf: ssl enabled, but ssl_cert not set

When I check dovecot.conf, there is nothing regarding ssl so I assume the error is referencing the settings in 10-ssl.conf. I noticed that the settings are commented out:

# ssl = no
# ssl_cert = </etc/ssl/dovecot.pem
# ssl_key = </etc/ssl/private/dovecot.pem

I know these were uncommented earlier but if I uncomment now, I get a different error at startup about unexpected value ssl in 10-ssl.conf. From the Dovecot wiki this value must be set even if it is overwritten by a specific protocol elsewhere.

If I leave the ssl values commented out I get the first error message about ssl being enabled but not set.

Earlier I had created a self-signed certificate using OpenSSL and was not receiving any error messages about ssl not being configured. In fact, I was able to login to pops from another client machine and it gave the usual warning about the certificate being untrusted. I did notice however that the cert referenced an incorrect hostname and this was caused earlier after I rebuilt my VPS and foolishly installed and configured Dovecot with incorrect hostname being set.

Well I purged all files and reinstalled. I have again deleted all keys and regenerated with OpenSSL a couple times but now I cannot even start Dovecot because of this error. I'm stuck and was wondering how I should approach this. Is it possible that something in Postfix referencing Dovecot is causing this?

Some sites say to check your syntax such as ssl_cert = </etc vs ssl_cert = /etc but this has not made a difference. I would also be happy to just temporarily disable ssl to get around the error, but that fails as well.

Just now I tried to create a symbolic link to the prebuilt keys in /etc/dovecot and /etc/dovecot.pem but I get the same message.

Answer 1

Old post however:The error comes from the fact that the main configuration file dovecot.conf needs to have a line: "!include conf.d/*.conf" at the end.

Otherwise it won't load the configuration files that you have inside "conf.d/"

I think this is the reason why you are not getting any difference from changing the settings in the config files within "conf.d/"

Also, why would it say SSL is enabled if it has not been set in 10-ssl.conf or dovecot.conf? Where is it being enabled?

That's because the default configuration is ssl = yes. Not having included the 10-ssl.conf file, where you could either deactivate ssl or set the cert file gives you that result.

Answer 2

My Dovecot configuration in dovecot/conf.d/10-ssl.conf, which is working on two different servers, is:

ssl = yes
ssl_cert = </path/to/cert.file
ssl_key = </path/to/key.file

I use a certificate authority, so I also have:

ssl_ca = </path/to/ca-bundle.pem

It has been some time since I set the servers up, but I do recall having issues with Dovecot, and I believe they were separate from Postfix.

I'm not sure about the unexpected value error. When you uncommented, did you change ssl = no to ssl = yes? I also know that OpenSSL is a little picky about file permissions. My key file is owned by root:root and has 400 permissions set.

Answer 3

Check 20-imap.conf (http://wiki2.dovecot.org/SSL/DovecotConfiguration):

protocol imap {
  ssl_cert = </etc/ssl/dovecot.pem
  ssl_key = </etc/ssl/private/dovecot.pem
}

and 10-ssl.conf: ssl_parameters_regenerate = 0 <<-- default 168 hours

Upd:

doveconf -a | grep ssl