Submitted by dlynes on Mon, 08/03/2020 - 11:18 Pro Licensee
I created a ticket on this a couple of days ago, but can't seem to find it now.
What seems to be happening is that whenever a letsencrypt SSL certificate is renewed, the SSL certificate section of dovecot.conf is getting corrupted.
Up until yesterday (happened three times), it was missing the closing brace for one or more local_name clauses in the dovecot.conf file.
However, last night it was much worse. It's missing closing braces, opening braces, and even local_name declarations.
Status:
Needs work
Comments
Hi,
Had all of that happened running Virtualmin 6.10 or 6.11?
Submitted by dlynes on Mon, 08/03/2020 - 16:59 Pro Licensee Comment #2
6.10.
Saw 6.11 was available this morning. Have upgraded to it already and am hoping that it fixes the problem.
How does your
/etc/dovecot/dovecot.conflook like at the moment?Submitted by toli on Wed, 08/05/2020 - 13:37 Pro Licensee Comment #4
For me problem occurs again.
My host debian 9 and latest virtualmin.
Dovecot config is corrupted after those lines in syslog
.................
ug 5 19:16:02 host6 systemd[1]: Started User Manager for UID 1221.
Aug 5 19:16:02 host6 systemd[1]: Stopping User Manager for UID 1221...
Aug 5 19:16:02 host6 systemd[3413]: Failed to enqueue exit.target job: Access denied
Aug 5 19:16:02 host6 systemd[1]: Stopped User Manager for UID 1221.
Aug 5 19:16:02 host6 systemd[1]: Removed slice User Slice of avantura.
Aug 5 19:16:02 host6 systemd[1]: Created slice User Slice of avantura.
Aug 5 19:16:02 host6 systemd[1]: Starting User Manager for UID 1221...
Aug 5 19:16:02 host6 systemd[1]: Started Session c293514 of user avantura.
Aug 5 19:16:02 host6 systemd[3425]: Reached target Timers.
Aug 5 19:16:02 host6 systemd[3425]: gpg-agent-browser.socket: Socket service gpg-agent.service not loaded, refusing.
Aug 5 19:16:02 host6 systemd[3425]: Failed to listen on GnuPG cryptographic agent (access for web browsers).
Aug 5 19:16:02 host6 systemd[3425]: gpg-agent-ssh.socket: Socket service gpg-agent.service not loaded, refusing.
Aug 5 19:16:02 host6 systemd[3425]: Failed to listen on GnuPG cryptographic agent (ssh-agent emulation).
Aug 5 19:16:02 host6 systemd[3425]: gpg-agent.socket: Socket service gpg-agent.service not loaded, refusing.
Aug 5 19:16:02 host6 systemd[3425]: Failed to listen on GnuPG cryptographic agent and passphrase cache.
Aug 5 19:16:02 host6 systemd[3425]: Reached target Paths.
Aug 5 19:16:02 host6 systemd[3425]: gpg-agent-extra.socket: Socket service gpg-agent.service not loaded, refusing.
Aug 5 19:16:02 host6 systemd[3425]: Failed to listen on GnuPG cryptographic agent and passphrase cache (restricted).
Aug 5 19:16:02 host6 systemd[3425]: Reached target Sockets.
Aug 5 19:16:02 host6 systemd[3425]: Reached target Basic System.
Aug 5 19:16:02 host6 systemd[3425]: Reached target Default.
Aug 5 19:16:02 host6 systemd[3425]: Startup finished in 26ms.
Aug 5 19:16:02 host6 systemd[1]: Started User Manager for UID 1221.
Aug 5 19:16:02 host6 systemd[1]: Stopping User Manager for UID 1221...
Aug 5 19:16:02 host6 systemd[3425]: Failed to enqueue exit.target job: Access denied
Aug 5 19:16:02 host6 systemd[1]: Stopped User Manager for UID 1221.
Aug 5 19:16:02 host6 systemd[1]: Removed slice User Slice of avantura.
Aug 5 19:16:23 host6 dovecot: config: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: Missing '}' (section started at /etc/dovecot/dovecot.conf:149)
Aug 5 19:16:23 host6 dovecot: master: Error: service(config): command startup failed, throttling for 2 secs
.................................
When certbos is running to renew certs all was ok.
Here is the fix:
https://forum.virtualmin.com/t/dovecote-conf-feedback/106946/19?u=ilia
Submitted by adamjedgar on Thu, 08/06/2020 - 16:44 Pro Licensee Comment #6
Can I also weigh in on this, I am having the exact same issues. Twice in the last few weeks SSL updates for client domains have corrupted this file and taken my dovecot services offline.
here is an example This domain SSL updated yesterday... (note the missing "}" below in dovecot.conf
local_name www.2e2s.com {ssl_cert = </home/aje2e2s/ssl.cert
ssl_cert = </home/aje2e2s/ssl.combined
ssl_key = </home/aje2e2s/ssl.key
Submitted by stephanw on Fri, 08/14/2020 - 02:32 Comment #7
Here same issue yesterday. Does the patch work for that or is it more safe to wait for a regular update?
Submitted by perler on Fri, 08/14/2020 - 03:28 Pro Licensee Comment #8
I think the issue is not just soving the bug but checking the dovecot config before applying it. mail is such an important part of a hosters system, it should justify the extra effort here.
It would work, however, for now, I would manually edited dovecot.conf file and made sure to remove all ssl_ca directives, leaving out only ssl_cert and ssl_key. Even with Virtualmin 6.11 the issue will not happen, if there is no ssl_ca directive. Virtualmin 6.12 will work either way, and remove automatically ssl_ca directive properly.
Alternatively, you could run the following script to do it for you, which will fix it all in no time, in case of too many virtual servers. To run this, you would need to have a legit Dovecot config, having all curly brackets in place.
#!/bin/sh doms=`virtualmin list-domains --name-only --no-alias` for dom in $doms; do virtualmin install-service-cert --domain $dom --remove-domain --service dovecot virtualmin install-service-cert --domain $dom --add-domain --service dovecot doneNote: Put this code in a file and run as sh script-name.
Submitted by dlynes on Fri, 08/14/2020 - 05:07 Pro Licensee Comment #10
That appears to have fixed the problem. I wiped out all the local_name code, ran your script and ta-da!
I still need to confirm by creating a mail account, logging into the account and confirming it's working, but dovecot's not bitching when I restart it now.