On my CentOS 7 system I am trying to run dovecot with TLS required. For that, I created my private key and certificate in
[root@homeserver /]# ls -lZ indernet/cert/homeserver.*
-r--r--r--. root certuser system_u:object_r:default_t:s0 indernet/cert/homeserver.crt
-r--r-----. root certuser system_u:object_r:default_t:s0 indernet/cert/homeserver.key
[root@homeserver /]#
To make dovecot actually load the files I ensured /etc/dovecot/conf.d/10-ssl.conf contains these lines:
ssl=required
ssl_key=</indernet/cert/homeserver.key
ssl_cert=</indernet/cert/homeserver.crt
The problematic part: Dovecot cannot start up, it fails with this error:
dovecot: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 14: ssl_key: Can't open file /indernet/cert/homeserver.key: Permission denied
I tried to modify the certificate's and key's file permissions (this should not be required according to https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/), even to 777 and nothing changes. Someone suggested me it might be SELinux preventing the access and I configured unconfined_u:object_r:default_t:s0 as well as system_u:object_r:default_t:s0 as you can see above. No change.
Now the surprising part: I got very curious and edited /usr/lib/systemd/system/dovecot.service to contain
ExecStart=/bin/strace /usr/sbin/dovecot
and then in /var/log/messages I could see the cert and key getting accessed and loaded. And dovecot works. But when I remove the strace again, I am left with the same problem.
What may be going on here?
The keys cannot be read because SELinux has denied access to them.
To fix the problem, copy (using
cp
ormv -Z
) the keys to a directory where SELinux expects TLS keys and certificates to be stored, i.e./etc/pki/tls
and its subdirectories. The new files will have the correct SELinux contexts if you usedcp
ormv -Z
. Then update the files' locations in your Dovecot configuration.