Bug#867593: dovecot-core 1:2.2.31-1 upgrade does not have valid certs in /etc/dovecot/private

Mon, 10 Jul 2017 06:54:23 -0700 

I checked from my backups, there was only a dovecot.pem (not a dovecot.key file 
there) from 4 years ago:
=> /bin/ls -lt etc/dovecot/private/total 4-rw------- 1 me  me  1704 Jun  6  
2013 dovecot.pem=>
What happened with the install is that, without a matching dovecot.key file, 
dovecot cannot start.It's only functional if  *** both ***  dovecot.key and 
dovecot.pem are present, so if at least one of these is missing,the postinstall 
script has to take action, not just when both are missing.
The postinstall script could easily issue a warning if it has to repair a 
partial setup, such as a missing dovecot.keybut an existing dovecot.pem. 
thanks,--jack

      From: Apollon Oikonomopoulos <apoi...@debian.org>
 To: JS <jsh...@yahoo.com>; 867...@bugs.debian.org 
 Sent: Monday, July 10, 2017 9:22 AM
 Subject: Re: Bug#867593: dovecot-core 1:2.2.31-1 upgrade does not have valid 
certs in /etc/dovecot/private
   
Hi,

On 01:51 Mon 10 Jul    , JS wrote:
> hello,
> It's possible this is the problem in the post-install script (there was a 
> dovecot.key, only, in the directory, don't know where it came from):
> 
>   # SSL configuration  # Use the ssl-cert-snakeoil certificate in the 
> following cases:  # - On new installations  # - On upgrades from versions 
> that did not enable SSL by default  if [ -z "$2" ] || dpkg --compare-versions 
> "$2" lt "1:2.2.31-1~"; then    if [ ! -e /etc/dovecot/private/dovecot.key ] 
> && \                                            ### only works if  *** both 
> ***  dovecot.key and dovecot.pem are missing       [ ! -e 
> /etc/dovecot/private/dovecot.pem ]; then      ln -s 
> /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/dovecot/private/dovecot.pem      ln 
> -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/dovecot/private/dovecot.key    
> fi  fi
> 
> Perhaps this should have been:if [ ! -e /etc/dovecot/private/dovecot.key ] || 
> [ ! -e /etc/dovecot/private/dovecot.pem ]    ### if  *** either *** 
> dovecot.key OR dovecot.pem missing, create default symlinksthen   /bin/mv 
> /etc/dovecot/private/dovecot.key    /etc/dovecot/private/dovecot.key-OLD 
> 2>/dev/null || true   /bin/mv /etc/dovecot/private/dovecot.pem  
> /etc/dovecot/private/dovecot.pem-OLD 2>/dev/null || true
>   # create *** both ***  default symlinks:   ln -s 
> /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/dovecot/private/dovecot.pem  ln -s 
> /etc/ssl/private/ssl-cert-snakeoil.key /etc/dovecot/private/dovecot.keyfi    
> thanks,--jack

I was trying to be conservative there, to make sure I will never 
overwrite key material that the sysadmin might have created. The mtime 
of dovecot.key would probably help, could you please provide that?

Thanks,
Apollon

Reply via email to