I've created a CST and private key pair, as said by StartSSL, for my postfix/dovecot Ubuntu 14.04 server, with:
openssl req -newkey rsa:2048 -keyout mydomain.key -out mydomain.csr
On the passphrase prompt, I introduced (why not, right?) a password, instead of left the password blank to have a non-protected key.
After pasting the csr
file to StartSSL, I received the corresponding certificate associated with the password protected file.
I've both Dovecot and Postfix using that certificate:
// /etc/postfix/main.cf
smtpd_tls_cert_file = /etc/ssl/private/mychain.pem
smtpd_tls_key_file = /etc/ssl/private/mydomain.key
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
// /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/ssl/private/mychain.pem
ssl_key = </etc/ssl/private/mydomain.key
When doing test with checktls.com
, I receive:
// other steps omited
749.-->STARTTLS\r\n
750.<--454 4.7.0 TLS not available due to local problem\r\n
And in my system log, the SMTP error, together with a dovecot
error that, luckily, happen just that moment (some of my customer was trying to connect that moment I guess):
Oct 25 18:49:12 ns dovecot: pop3-login: Error: SSL private key file is password protected, but password isn't given
Oct 25 18:49:12 ns dovecot: pop3-login: Fatal: Couldn't parse private ssl_key: error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read
Oct 25 18:49:12 ns dovecot: master: Error: service(pop3-login): command startup failed, throttling for 60 secs
Oct 25 18:49:16 ns postfix/smtpd[30437]: connect from www4.checktls.com[216.68.85.112]
Oct 25 18:49:17 ns postfix/smtpd[30437]: lost connection after UNKNOWN from www4.checktls.com[216.68.85.112]
Oct 25 18:49:17 ns postfix/cleanup[30461]: 93088330D956: message-id=<20161025164917.93088330D956@mydomain.com>
Oct 25 18:49:17 ns postfix/smtpd[30437]: disconnect from www4.checktls.com[216.68.85.112]
So, how can I make Postfix and Dovecot know the password, remove the password, or do I have to re-renew the certificate?
I prefer a solution to the first question (making them know the password), because its a new situation for me and so I learn something (perhaps I need to "register" the password of that key to some password-pool of the system?)