Dovecote.conf feedback

Btw…that’s another thing I’ve noticed. The indenting or lack thereof is not consistent from one line to the next or even from one clause to the next.

The copy/paste above also looks like it’s all on one line even though it’s not because of whatever the non-printable whitespaces were.

However, there’s still other issues. You’ll see the ssl_ca attribute is not correct.

None of this is longer an issue, and for deleted accounts it will automatically remove all entries from Dovecot config. However, your case displays also an old issue when sharing certificates, which is also considered to be fixed.

Also, you’ll see there’s multiple duplicated lines for azzurec.

None of this will be an issue. Try re-requesting LE SSL certificate and see what happens (with applied patches and restarted Webmin).

The copy/paste above also looks like it’s all on one line even though it’s not because of whatever the non-printable whitespaces were.

That is not something I ever seen. It’s most likely incorrectly edited by human.

Ok, so if it’s considered to be fixed, why is it still happening?

Should I remove all local_name clauses from the dovecot.conf before re-requesting LE SSL certs (after updated patches and restarting webmin of course)?

Considering that you have applied the patch correctly, the only reason why it could be happening is completely broken config. However, missing curly brackets should be fixed only manually.

If it’s happening, share the state of dovecot.conf config file before running LE certificate request, I’d like to have a look.

1 Like

Fwiw, the only time any config files have been manually edited is when things started breaking. Normally, I let virtualmin/webmin do the heavy lifting.

I will send the dovecot.conf to info@virtualmin.com so that it’s not attached to the public forum or the public ticket.

Hello all,

Just adding my woes…I’ve been having the same problems and found this thread.

I have a fully updated Pro (Ubuntu 16.04) server that I patched using the curl command above.

I manually edited /etc/dovecot/dovecot.conf:

  • eliminated all duplicates
  • eliminated all “_ca” entries
  • changed all “.cert” entries to “.combined”
  • fixed all indenting
  • fixed all braces
  • verified Postfix and Dovecot would restart perfectly

I then manually renewed the LE SSL cert for one domain:

  • Postfix and Dovecot were still running
  • /etc/dovecot/dovecot.conf had been modified

This was added at the bottom of /etc/dovecot/dovecot.conf:

local_name mydomain.net {
  ssl_cert = </home/parentdomain/domains/mydomain.net/ssl.combined
  ssl_key = </home/parentdomain/domains/mydomain.net/ssl.key
}
local_name *.mydomain.net {
  ssl_cert = </home/parentdomain/domains/mydomain.net/ssl.combined
  ssl_key = </home/parentdomain/domains/mydomain.net/ssl.key
}

Notes:

This stanza was now duplicated:

local_name mydomain.net {
  ssl_cert = </home/parentdomain/domains/mydomain.net/ssl.combined
  ssl_key = </home/parentdomain/domains/mydomain.net/ssl.key
}

A wildcard entry had been added (no wildcard cert had been requested):

local_name *.mydomain.net {
  ssl_cert = </home/parentdomain/domains/mydomain.net/ssl.combined
  ssl_key = </home/parentdomain/domains/mydomain.net/ssl.key
}

I think things are still broken…

This is a serious issue for production systems. My clients are now blaming me for all problems as well.

G

It looks like the patch you mentioned is not in the file at https://raw.githubusercontent.com/virtualmin/virtualmin-gpl/master/feature-ssl.pl ?

Yes, we un-rolled it for searching better solution.

i have run the latest virtualmin updates a few days ago.

Today, i notice that another domain on my system was due for, and completed, an automatic
ssl certificate update.

note the dovecot config file after the update (specifically for “www.rapidhabitat.com.au”)

virtualmin i think has again removed the closing “}” after this domain…after line 110 is where is should be!

image

I am not waiting to see if my server will crap itself, I am going to manually fix this (again)

Please get rid of the ssl_ca lines! I know it’s annoying, we’re working on it, but it’s been known for weeks that the ssl_ca lines are a problem (both for Dovecot and our parser/generator). There is no scenario where the ssl_ca lines should be there. When you fix it manually, you need to get rid of every mention of ssl_ca in those local_name sections.

2 Likes

If there are people who would like to try this new patch and see if it works with having ssl_ca in the block, please do.


The simple way to apply the patch, is to run the following command (from SSH console or in-built Webmin command line), for Debian/Ubuntu:

curl https://raw.githubusercontent.com/virtualmin/virtualmin-gpl/1d7306073f1f002e509ec178d41f0db39d5f2eb6/feature-ssl.pl -o /usr/share/webmin/virtual-server/feature-ssl.pl && systemctl stop webmin && systemctl start webmin

… for RHEL (CentOS/Fedora):

curl https://raw.githubusercontent.com/virtualmin/virtualmin-gpl/1d7306073f1f002e509ec178d41f0db39d5f2eb6/feature-ssl.pl -o /usr/libexec/webmin/virtual-server/feature-ssl.pl && systemctl stop webmin && systemctl start webmin

I’ve removed all the ssl_ca lines. Should I still apply the patch?

Richard

No. It’s only for those who has old config and wants to help and run extra tests, just in case. If you removed ssl_ca directive you don’t even need patch, it won’t fail.

1 Like

Just FYI, I created a new Virtual Server today and obtained an SSL cert with no pain and no damage to dovecot.conf . It did create a wildcard for the new site that I didn’t ask for, but that’s fine.

Richard

the Virtualmin updates are not fixing this on my system…another client domain hosted on my system performed its regular automatic SSL update last night and once again…missing curly bracket “}” after line 149.

image

It appears that any lines containing ‘…/ssl.cert’ are also incorrect. The only lines I believe that should be in there are the .key and .combined lines withiin the local_name clause.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.