Control: tags -1 moreinfo
Hi,
On 12:11 Fri 07 Jul , js wrote:
> * What led up to the situation?
> During the upgrade from 1:2.2.27-3 to 1:2.2.31-1, the post-install script
> produced the message
> below and dovecot was not functional anymore:
>
> Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error in
> configuration file /etc/dovecot/conf.d/10-ssl.conf line 13:
> ssl_key: Can't open file /etc/dovecot/private/dovecot.key: No such file or
> directory
> failed!
>
Thanks for the report!
It looks a bit odd to me, because dovecot-core's postinst should have
created /etc/dovecot/private/dovecot.{pem,key} when upgrading from
2.2.27-3 (or any version prior to 2.2.31-1 for that matter). I'll try to
reproduce this, although I tested the upgrade from 2.2.27-3 before
uploading, so any additional information would help.
Regards,
Apollon
>
> * What exactly did you do (or not do) that was effective (or ineffective)?
> To fix this, I changed /etc/dovecot/conf.d/10-ssl.conf with the lines:
>
> # create symlinks in /etc/dovecot/private to default certificates:
> ## ssl-cert-snakeoil.key -> /etc/ssl/private/ssl-cert-snakeoil.key
> ## ssl-cert-snakeoil.pem -> /etc/ssl/certs/ssl-cert-snakeoil.pem
>
> ssl_cert = </etc/dovecot/private/ssl-cert-snakeoil.pem
> ssl_key = </etc/dovecot/private/ssl-cert-snakeoil.key
>
>
> I think it is a serious packaging problem when an upgrade to a working
> dovecot version fails
> because now TLS is enabled by default but default certs are not installed.
> dovecot-core should
> check it there are valid certificates in /etc/dovecot/private matching
> 10-ssl.conf and, failing
> that, create symlinks similar to the above, so that a plain upgrade from
> a working dovecot version results in a working dovecot again.
>
> ==================================================================================================
>
>
>
> -- Package-specific info:
>
> dovecot configuration
> ---------------------
> # 2.2.31 (65cde28): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.19 (e5c7051)
> # OS: Linux 4.7.0-1-686-pae i686 Debian 9.0
> default_vsz_limit = 2560 M
> mail_location = mbox:~/mail:INBOX=/var/mail/%u
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope encoded-character
> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
> copy include variables body enotify environment mailbox date index ihave
> duplicate mime foreverypart extracttext
> namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
> }
> passdb {
> driver = pam
> }
> plugin {
> sieve = file:~/sieve;active=~/.dovecot.sieve
> }
> protocols = " imap lmtp sieve pop3"
> ssl_cert = </etc/dovecot/private/ssl-cert-snakeoil.pem
> ssl_client_ca_dir = /etc/ssl/certs
> ssl_key = # hidden, use -P to show it
> userdb {
> driver = passwd
> }
>
> -- System Information:
> Debian Release: 9.0
> APT prefers testing
> APT policy: (500, 'testing')
> Architecture: i386 (i686)
>
> Kernel: Linux 4.7.0-1-686-pae (SMP w/6 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: sysvinit (via /sbin/init)
>
> Versions of packages dovecot-core depends on:
> ii adduser 3.115
> ii init-system-helpers 1.48
> ii libbz2-1.0 1.0.6-8.1
> ii libc6 2.24-5
> ii libexttextcat-2.0-0 3.4.4-2+b1
> ii liblz4-1 0.0~r131-2+b1
> ii liblzma5 5.2.2-1.2+b1
> ii libpam-runtime 1.1.8-3.5
> ii libpam0g 1.1.8-3.5
> ii libssl1.1 1.1.0f-3
> ii libstemmer0d 0+svn585-1+b2
> ii libwrap0 7.6.q-26
> ii lsb-base 9.20161125
> ii openssl 1.1.0f-3
> ii ssl-cert 1.0.39
> ii ucf 3.0036
> ii zlib1g 1:1.2.8.dfsg-5
>
> dovecot-core recommends no packages.
>
> Versions of packages dovecot-core suggests:
> ii dovecot-gssapi 1:2.2.31-1
> ii dovecot-imapd 1:2.2.31-1
> ii dovecot-ldap 1:2.2.31-1
> ii dovecot-lmtpd 1:2.2.31-1
> pn dovecot-lucene <none>
> ii dovecot-managesieved 1:2.2.31-1
> ii dovecot-mysql 1:2.2.31-1
> ii dovecot-pgsql 1:2.2.31-1
> ii dovecot-pop3d 1:2.2.31-1
> ii dovecot-sieve 1:2.2.31-1
> ii dovecot-solr 1:2.2.31-1
> ii dovecot-sqlite 1:2.2.31-1
> pn ntp <none>
>
> Versions of packages dovecot-core is related to:
> ii dovecot-core [dovecot-common] 1:2.2.31-1
> pn dovecot-dbg <none>
> ii dovecot-dev 1:2.2.31-1
> ii dovecot-gssapi 1:2.2.31-1
> ii dovecot-imapd 1:2.2.31-1
> ii dovecot-ldap 1:2.2.31-1
> ii dovecot-lmtpd 1:2.2.31-1
> ii dovecot-managesieved 1:2.2.31-1
> ii dovecot-mysql 1:2.2.31-1
> ii dovecot-pgsql 1:2.2.31-1
> ii dovecot-pop3d 1:2.2.31-1
> ii dovecot-sieve 1:2.2.31-1
> ii dovecot-sqlite 1:2.2.31-1
>
> -- Configuration Files:
> /etc/init.d/dovecot changed:
> PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
> DESC="IMAP/POP3 mail server"
> NAME=dovecot
> DAEMON=/usr/sbin/dovecot
> DAEMON_ARGS=""
> SCRIPTNAME=/etc/init.d/$NAME
> CONF=/etc/dovecot/${NAME}.conf
> NICE="-N 8"
> [ -r /etc/default/$NAME ] && . /etc/default/$NAME
> [ -x "$DAEMON" ] || exit 0
> [ -f "$CONF" ] || exit 0
> [ "$ENABLED" != "0" ] || exit 0
> [ "$ALLOW_COREDUMPS" != "1" ] || ulimit -c unlimited
> . /lib/lsb/init-functions
> if [ ! -r ${CONF} ]; then
> log_daemon_msg "${CONF}: not readable" "$NAME" && log_end_msg 1;
> exit 1;
> fi
> if [ -f /etc/inetd.conf ]; then
> # The init script should do nothing if dovecot or another imap/pop3 server
> # is being run from inetd, and dovecot is configured to run as an imap or
> # pop3 service
> for p in `sed -r "s/^ *(([^:]+|\[[^]]+]|\*):)?(pop3s?|imaps?)[
> \t].*/\3/;t;d" \
> /etc/inetd.conf`
> do
> for q in `doveconf -n -h protocols`
> do
> if [ $p = $q ]; then
> log_daemon_msg "protocol ${p} configured both in inetd and in
> dovecot" "$NAME" && log_end_msg 1
> exit 0
> fi
> done
> done
> fi
> PIDBASE=${PIDBASE:-`doveconf -n -c ${CONF} -h base_dir`}
> PIDFILE=${PIDBASE:-/var/run/dovecot}/master.pid
> do_start()
> {
> # Return
> # 0 if daemon has been started
> # 1 if daemon was already running
> # 2 if daemon could not be started
> start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON $NICE
> --test -- -c ${CONF} > /dev/null \
> || return 1
> start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON $NICE
> -- -c ${CONF} \
> $DAEMON_ARGS \
> || return 2
> }
> do_stop()
> {
> # Return
> # 0 if daemon has been stopped
> # 1 if daemon was already stopped
> # 2 if daemon could not be stopped
> # other if a failure occurred
> start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile
> $PIDFILE --name ${DAEMON##*/}
> RETVAL="$?"
> [ "$RETVAL" = 2 ] && return 2
> # Wait for children to finish too if this is a daemon that forks
> # and if the daemon is only ever run from this initscript.
> # If the above conditions are not satisfied then add some other code
> # that waits for the process to drop all resources that could be
> # needed by services started subsequently. A last resort is to
> # sleep for some time.
> start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --pidfile
> $PIDFILE --name ${DAEMON##*/}
> [ "$?" = 2 ] && return 2
> # Many daemons don't delete their pidfiles when they exit.
> rm -f $PIDFILE
> return "$RETVAL"
> }
> do_reload() {
> #
> # If the daemon can reload its configuration without
> # restarting (for example, when it is sent a SIGHUP),
> # then implement that here.
> #
> start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE $NICE
> --name $NAME
> return 0
> }
> case "$1" in
> start)
> log_daemon_msg "Starting $DESC" "$NAME"
> do_start
> case "$?" in
> 0|1) log_end_msg 0 ;;
> 2) log_end_msg 1 ;;
> esac
> ;;
> stop)
> log_daemon_msg "Stopping $DESC" "$NAME"
> do_stop
> case "$?" in
> 0|1) log_end_msg 0 ;;
> 2) log_end_msg 1 ;;
> esac
> ;;
> reload|force-reload)
> log_daemon_msg "Reloading $DESC" "$NAME"
> do_reload
> log_end_msg $?
> ;;
> restart)
> #
> # If the "reload" option is implemented then remove the
> # 'force-reload' alias
> #
> log_daemon_msg "Restarting $DESC" "$NAME"
> do_stop
> case "$?" in
> 0|1)
> do_start
> case "$?" in
> 0) log_end_msg 0 ;;
> 1) log_end_msg 1 ;; # Old process is still running
> *) log_end_msg 1 ;; # Failed to start
> esac
> ;;
> *)
> # Failed to stop
> log_end_msg 1
> ;;
> esac
> ;;
> status)
> status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $?
> ;;
> *)
> echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2
> exit 3
> ;;
> esac
>
>
> -- debconf information:
> dovecot-core/create-ssl-cert: false
> dovecot-core/ssl-cert-name: localhost
> dovecot-core/ssl-cert-exists:
