Control: tags -1 moreinfo
Hi,
On 10:33 Sat 01 Apr , Norbert Preining wrote:
> I get consistent errors when trying to activate SNI for dovecot.
>
> The following configuration works without any problems:
>
> ssl = required
> ssl_cert = </path/to/certificate
> ssl_key = </path/to/privkey
>
> but when I activate SNI:
> ssl = required
> local_name mail.server.com {
> ssl_cert = </path/to/certificate
> ssl_key = </path/to/privkey
> }
> I receive the error:
> imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM
> routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
> on login.
This message is a bit misleading; there's nothing wrong with your key,
it's just that dovecot tries to load a global key that is not defined in
your configuration.
When activating SNI, you still need to set a global, default SSL
certificate for use with non-SNI-capable clients. This is poorly
documented at best, but ultimately makes sense. Local testing confirms
that if I specify a local_name section *in addition* to my global
ssl_cert and ssl_key settings, then SNI works as expected and clients
requesting a valid ServerName will get the correct certificate, while
clients requesting either an unknown ServerName or no ServerName at all
will get the default certificate. If don't specify a global
ssl_cert/key, then I get the same error as you.
Can you please verify that this is the case?
Regards,
Apollon
