imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate ee key too mall

Question

Upgraded my server to 20.04. Now I can't get IMAP working through dovecot. I get:

Aug  1 23:25:53 defaria dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small: user=<>, rip=184.182.63.133, lip=208.113.131.137, session=<iKgXGN+rCIC4tj+F>

I found many solutions to this problem but none seem to work. I've generated and re-generated server keys, signing certificates, and the like and configured dovecot to look at them yet all I get is this cryptic error message. I had this all configured nicely before and just updating from 18.04 -> 20.04 broke this.

How can I fix this? Step by step... How to I supposed generate a cert and a key and properly configure them into dovecot so that imap works again?

Funny thing is I can drive a session through telnet to imap and I can log in an access messages. But when I try to do the same with my mail client (thunderbird) I get the above error written to /var/log/mail.log

Answer 1

None of these solutions worked for me, as the /usr/share/dovecot/dh.pem already existed and was the required 4096 bit.

Turns out the solution was as simple as deleting the /var/lib/dovecot/ssl-parameters.dat file, then restarting dovecot using:

sudo systemctl restart dovecot

Answer 2

I needed to add the following to my /etc/dovecot/conf.d/10-ssl.conf file:

ssl_dh = </usr/share/dovecot/dh.pem

The dh.pem file did already exist in my case, but YMMV.

Answer 3

The answer to this is that your dh.pem file does not have enough bits.

Ubuntu provides one in /etc/dovecot and /usr/share/dovecot. The later of the two directories has one of enough bits (4096).

I think (not tested for now) that you can also generate your own dh.pem file with the following command:

openssl dhparam -out dh.pem 4096

Then simply add the line:

ssl_dh=</your/dir/here/dh.pem

To /etc/dovecot/conf.d/10-ssl.conf (including the < character before the /)

Answer 4

Your issue is similar (but not identical) to these:

• ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1108)
• PHP IMAP OpenSSL and no cipher

I am not currently running dovecot so I can't test this solution but you should be able to adjust the cipher settings just for dovecot (not system wide) by editing your local dovecot configuration.

Try adding the following line to /etc/dovecot/conf.d/10-ssl.conf

ssl_cipher_list = HIGH:!DH:!aNULL

You can instead try increasing your Diffie-Hellman key length in the SSL settings. Read the dovecot documentation for further info: https://doc.dovecot.org/admin_manual/ssl/dovecot_configuration/

Answer 5

This can also be caused, not just by an ancient ssl_dh, but also an ancient ssl_cert or ssl_key. In my case these were

ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem

which were both from 2014. Changing to letsencrypt certs fixed this for me:

ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem

Where you have those certs installed for your example.com site.