Dovecot cant use the SSL certificates made from within virtualmin

Daij-Djan · October 12, 2025, 8:41pm

SYSTEM INFORMATION
OS type and version	Debian 12 (kernel =6.1.153-1 (2025-09-20) x86_64)
Webmin version	Webmin 2.510
Virtualmin version	Virtualmin 7.40.1
Webserver version	Apache 2.4.65
Related packages	Dovecot 2.3.19.1

I created 11 Domains in virtualmin
7 of them have webservices + email
4 have only webservices

all have valid SSL Certificates from lets encrypt and host websites, some databases, wordpress, nextcloud and bitwareden
=> so far so good

the only thing I cannot get to work is MAIL via Dovecot.
My dovecot.conf correctly defines the localNames for all my domains and declares the SSL certificates&keys for each

the config WAS corrupted as described in the forum post (https://forum.virtualmin.com/t/dovecot-conf-duplicate-entries-after-line-3475-on-220-domain-server/135374) even though i am on a fresh install! I deleted the offending duplicated lines so now dovecot starts without warning.
(see dovecot -n output)

output

debian@ns3119878:~$ dovecot -n
# 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.19 (4eae2f79)
# OS: Linux 6.1.0-40-amd64 x86_64 Debian 12.12
# Hostname: ns3119878.ip-51-38-181.eu
auth_mechanisms = plain login
disable_plaintext_auth = no
mail_location = maildir:~/Maildir
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
protocols = imap
ssl = required
ssl_cert = </etc/ssl/virtualmin/175899436572261/ssl.combined
ssl_cipher_list = ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  driver = passwd
}
local_name ns3119878.ip-51-38-181.eu {
   ssl_cert = </etc/ssl/virtualmin/175897603948843/ssl.combined
   ssl_key = </etc/ssl/virtualmin/175897603948843/ssl.key
}
local_name *.ns3119878.ip-51-38-181.eu {
   ssl_cert = </etc/ssl/virtualmin/175897603948843/ssl.combined
   ssl_key = </etc/ssl/virtualmin/175897603948843/ssl.key
}
local_name balve-mellen.de {
  ssl_cert = </etc/ssl/virtualmin/175899436572261/ssl.combined
  ssl_key = </etc/ssl/virtualmin/175899436572261/ssl.key
}
local_name *.balve-mellen.de {
   ssl_cert = </etc/ssl/virtualmin/175899436572261/ssl.combined
   ssl_key = </etc/ssl/virtualmin/175899436572261/ssl.key
}
local_name weselfilme.de {
  ssl_cert = </etc/ssl/virtualmin/175899658287528/ssl.combined
  ssl_key = </etc/ssl/virtualmin/175899658287528/ssl.key
}
local_name *.weselfilme.de {
  ssl_cert = </etc/ssl/virtualmin/175899658287528/ssl.combined
  ssl_key = </etc/ssl/virtualmin/175899658287528/ssl.key
}
local_name *.cloud.roesrath-kleineichen.de {
  ssl_cert = </etc/ssl/virtualmin/175899770596705/ssl.combined
  ssl_key = </etc/ssl/virtualmin/175899770596705/ssl.key
}
local_name cloud.roesrath-kleineichen.de {
  ssl_cert = </etc/ssl/virtualmin/175899770596705/ssl.combined
  ssl_key = </etc/ssl/virtualmin/175899770596705/ssl.key
}
local_name *.vault.roesrath-kleineichen.de {
  ssl_cert = </etc/ssl/virtualmin/175899770596705/ssl.combined
  ssl_key = </etc/ssl/virtualmin/175899770596705/ssl.key
}
local_name vault.roesrath-kleineichen.de {
  ssl_cert = </etc/ssl/virtualmin/175899770596705/ssl.combined
  ssl_key = </etc/ssl/virtualmin/175899770596705/ssl.key
}
local_name roesrath-kleineichen.de {
  ssl_cert = </etc/ssl/virtualmin/175899770596705/ssl.combined
  ssl_key = </etc/ssl/virtualmin/175899770596705/ssl.key
}
local_name *.roesrath-kleineichen.de {
  ssl_cert = </etc/ssl/virtualmin/175899770596705/ssl.combined
  ssl_key = </etc/ssl/virtualmin/175899770596705/ssl.key
}
local_name wesel-lackhausen.de {
  ssl_cert = </etc/ssl/virtualmin/1758998113101183/ssl.combined
  ssl_key = </etc/ssl/virtualmin/1758998113101183/ssl.key
}
local_name *.wesel-lackhausen.de {
  ssl_cert = </etc/ssl/virtualmin/1758998113101183/ssl.combined
  ssl_key = </etc/ssl/virtualmin/1758998113101183/ssl.key
}
local_name rueth.online {
  ssl_cert = </etc/ssl/virtualmin/1759001099121642/ssl.combined
  ssl_key = </etc/ssl/virtualmin/1759001099121642/ssl.key
}
local_name *.rueth.online {
  ssl_cert = </etc/ssl/virtualmin/1759001099121642/ssl.combined
  ssl_key = </etc/ssl/virtualmin/1759001099121642/ssl.key
}
local_name kadavrik.com {
  ssl_cert = </etc/ssl/virtualmin/1759001494126229/ssl.combined
  ssl_key = </etc/ssl/virtualmin/1759001494126229/ssl.key
}
local_name *.kadavrik.com {
  ssl_cert = </etc/ssl/virtualmin/1759001494126229/ssl.combined
  ssl_key = </etc/ssl/virtualmin/1759001494126229/ssl.key
}
local_name *.maria.pich.info {
  ssl_cert = </etc/ssl/virtualmin/1759001812129403/ssl.combined
  ssl_key = </etc/ssl/virtualmin/1759001812129403/ssl.key
}
local_name maria.pich.info {
  ssl_cert = </etc/ssl/virtualmin/1759001812129403/ssl.combined
  ssl_key = </etc/ssl/virtualmin/1759001812129403/ssl.key
}
local_name *.dominik.pich.info {
  ssl_cert = </etc/ssl/virtualmin/1759001812129403/ssl.combined
  ssl_key = </etc/ssl/virtualmin/1759001812129403/ssl.key
}
local_name dominik.pich.info {
  ssl_cert = </etc/ssl/virtualmin/1759001812129403/ssl.combined
  ssl_key = </etc/ssl/virtualmin/1759001812129403/ssl.key
}
local_name pich.info {
  ssl_cert = </etc/ssl/virtualmin/1759001812129403/ssl.combined
  ssl_key = </etc/ssl/virtualmin/1759001812129403/ssl.key
}
local_name *.pich.info {
  ssl_cert = </etc/ssl/virtualmin/1759001812129403/ssl.combined
  ssl_key = </etc/ssl/virtualmin/1759001812129403/ssl.key
}

now that that dovecot starts fine, I had high hopes but connecting to it shows it has no SSL certificate to offer
(see openssl s_client -connect pich.info:993 -crlf output)
Note that I also tried sudo openssl s_client -connect 127.0.0.1:993 -servername mail.pich.info -showcerts .. same

output

openssl s_client -connect mail.pich.info:993 -crlf -showcerts
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

=> looking at journalctl dovecot logs the error:
dovecot[3027117]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL private key (ssl_key setting): Key is for a different cert than ssl_cert: user=<>, rip=51.38.181.35, lip=51.38.181.35, secured, session=<5ZnRLPtA2r8zJrUj>

From all I can google up, it should be a mismatch between the certificate and the key but if I check the md5s of my pich.info key/cert all looks good:

debian@ns3119878:~$ sudo openssl x509 -noout -modulus -in /etc/ssl/virtualmin/1759001812129403/ssl.combined | openssl md5
MD5(stdin)= 80b63cffdd0bbfd613a246f84fca2e6f
debian@ns3119878:~$ sudo openssl rsa -noout -modulus -in /etc/ssl/virtualmin/1759001812129403/ssl.key | openssl md5
MD5(stdin)= 80b63cffdd0bbfd613a246f84fca2e6f

what I found and think is that MAYBE dovecot cant read them as group is wrong?

debian@ns3119878:~$ sudo ls -l /etc/ssl/virtualmin/1759001812129403/
total 24
-rw------- 1 root root 1801 Oct  3 15:15 ssl.ca
-rw------- 1 root root 1911 Oct  3 15:15 ssl.cert
-rw------- 1 root root 3714 Oct  3 15:50 ssl.combined
-rw------- 1 root root 5419 Oct  3 15:50 ssl.everything
-rw------- 1 root root 1704 Oct  3 15:15 ssl.key

But I dont know if that’s an issue as the main process is root:

debian@ns3119878:~$ ps -eo pid,user,group,comm | grep dovecot
3103283 root     root     dovecot
3103286 dovecot  dovecot  anvil
3103314 dovecot  dovecot  stats

so… whats wrong and why does mail in a fresh install of virtualmin dont work right? what did I mess up – im hesitant to change more config files
The SSL cert works everywhere afterall

do I maybe need to split out info?
Dovecot does seem picky about the content and order here: Dovecot SSL configuration — Dovecot documentation

or maybe we gotta fix the format and virtualmin writes the wrong one like shown here?

List item

dimitrist · October 13, 2025, 6:32am

Daij-Djan:

-rw------- 1 root root 1801 Oct  3 15:15 ssl.ca
-rw------- 1 root root 1911 Oct  3 15:15 ssl.cert
-rw------- 1 root root 3714 Oct  3 15:50 ssl.combined
-rw------- 1 root root 5419 Oct  3 15:50 ssl.everything
-rw------- 1 root root 1704 Oct  3 15:15 ssl.key

cert creation times are different. you probably recreated certs or retried with extra subdomains or … (?) . but something went wrong.
key was issued at 15:15
cert was issued at 15:50
so probably different/wrong pair.

Daij-Djan · October 13, 2025, 2:08pm

wanted to post. But post was marked as spam

I solved it.
all key pairs are correct (despite timestamps @dimitrist) BUT one

In addition to the overrides per domain, dovecot wants the generic key to be correct too and virtualmin kinda messed up the configuration in 10-ssl.conf and set the wrong keypair. So once I fixed it, all works – including the overrides!

/etc/ssl/virtualmin/175899436572261/ssl.combined
/etc/ssl/virtualmin/175897603948843/ssl.key

=>

/etc/ssl/virtualmin/175899436572261/ssl.combined
/etc/ssl/virtualmin/175899436572261/ssl.key

system · October 21, 2025, 2:08pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.