Home / ubuntu / Questions / 1263950
In Process
Andrew DeFaria
Asked: 2020-08-02 22:37:30 +0800 CST

imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate ee key too mall

  • 772

Upgraded my server to 20.04. Now I can't get IMAP working through dovecot. I get:

Aug  1 23:25:53 defaria dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small: user=<>, rip=184.182.63.133, lip=208.113.131.137, session=<iKgXGN+rCIC4tj+F>

I found many solutions to this problem but none seem to work. I've generated and re-generated server keys, signing certificates, and the like and configured dovecot to look at them yet all I get is this cryptic error message. I had this all configured nicely before and just updating from 18.04 -> 20.04 broke this.

How can I fix this? Step by step... How to I supposed generate a cert and a key and properly configure them into dovecot so that imap works again?

Funny thing is I can drive a session through telnet to imap and I can log in an access messages. But when I try to do the same with my mail client (thunderbird) I get the above error written to /var/log/mail.log

imap dovecot

4 Answers

  1. I needed to add the following to my /etc/dovecot/conf.d/10-ssl.conf file:

    ssl_dh = </usr/share/dovecot/dh.pem

    The dh.pem file did already exist in my case, but YMMV.

    • 12

  2. None of these solutions worked for me, as the /usr/share/dovecot/dh.pem already existed and was the required 4096 bit.

    Turns out the solution was as simple as deleting the /var/lib/dovecot/ssl-parameters.dat file, then restarting dovecot using:

    sudo systemctl restart dovecot
    • 7

  3. The answer to this is that your dh.pem file does not have enough bits.

    Ubuntu provides one in /etc/dovecot and /usr/share/dovecot. The later of the two directories has one of enough bits (4096).

    I think (not tested for now) that you can also generate your own dh.pem file with the following command:

    openssl dhparam -out dh.pem 4096

    Then simply add the line:

    ssl_dh=</your/dir/here/dh.pem

    To /etc/dovecot/conf.d/10-ssl.conf (including the < character before the /)

    • 2

  4. Your issue is similar (but not identical) to these:

    I am not currently running dovecot so I can't test this solution but you should be able to adjust the cipher settings just for dovecot (not system wide) by editing your local dovecot configuration.

    Try adding the following line to /etc/dovecot/conf.d/10-ssl.conf

    ssl_cipher_list = HIGH:!DH:!aNULL

    You can instead try increasing your Diffie-Hellman key length in the SSL settings. Read the dovecot documentation for further info: https://doc.dovecot.org/admin_manual/ssl/dovecot_configuration/

    • 0