Dovecot error: ssl enabled, but ssl_cert not set
I've been trying to get Postfix and Dovecot set up for days and I think I have resolved all problems except for one that just came up. When I try to restart Dovecot I get the following error message:
doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: ssl enabled, but
ssl_cert not set
[....] Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error in configuration
file /etc/dovecot/dovecot.conf: ssl enabled, but ssl_cert not set
When I check dovecot.conf, there is nothing regarding ssl so I assume the error is referencing the settings in 10-ssl.conf. I noticed that the settings are commented out:
# ssl = no
# ssl_cert = </etc/ssl/dovecot.pem
# ssl_key = </etc/ssl/private/dovecot.pem
I know these were uncommented earlier but if I uncomment now, I get a different error at startup about unexpected value ssl in 10-ssl.conf. From the Dovecot wiki this value must be set even if it is overwritten by a specific protocol elsewhere.
If I leave the ssl values commented out I get the first error message about ssl being enabled but not set.
Earlier I had created a self-signed certificate using OpenSSL and was not receiving any error messages about ssl not being configured. In fact, I was able to login to pops from another client machine and it gave the usual warning about the certificate being untrusted. I did notice however that the cert referenced an incorrect hostname and this was caused earlier after I rebuilt my VPS and foolishly installed and configured Dovecot with incorrect hostname being set.
Well I purged all files and reinstalled. I have again deleted all keys and regenerated with OpenSSL a couple times but now I cannot even start Dovecot because of this error. I'm stuck and was wondering how I should approach this. Is it possible that something in Postfix referencing Dovecot is causing this?
Some sites say to check your syntax such as ssl_cert = </etc vs ssl_cert = /etc but this has not made a difference. I would also be happy to just temporarily disable ssl to get around the error, but that fails as well.
Just now I tried to create a symbolic link to the prebuilt keys in /etc/dovecot and /etc/dovecot.pem but I get the same message.
Solution 1:
Old post however:The error comes from the fact that the main configuration file dovecot.conf needs to have a line: "!include conf.d/*.conf" at the end.
Otherwise it won't load the configuration files that you have inside "conf.d/"
I think this is the reason why you are not getting any difference from changing the settings in the config files within "conf.d/"
Also, why would it say SSL is enabled if it has not been set in 10-ssl.conf or dovecot.conf? Where is it being enabled?
That's because the default configuration is ssl = yes. Not having included the 10-ssl.conf file, where you could either deactivate ssl or set the cert file gives you that result.
Solution 2:
My Dovecot configuration in dovecot/conf.d/10-ssl.conf, which is working on two different servers, is:
ssl = yes
ssl_cert = </path/to/cert.file
ssl_key = </path/to/key.file
I use a certificate authority, so I also have:
ssl_ca = </path/to/ca-bundle.pem
It has been some time since I set the servers up, but I do recall having issues with Dovecot, and I believe they were separate from Postfix.
I'm not sure about the unexpected value error. When you uncommented, did you change ssl = no to ssl = yes? I also know that OpenSSL is a little picky about file permissions. My key file is owned by root:root and has 400 permissions set.