Dovecot cannot read TLS certificate

Question

On my CentOS 7 system I am trying to run dovecot with TLS required. For that, I created my private key and certificate in

[root@homeserver /]# ls -lZ indernet/cert/homeserver.*
-r--r--r--. root certuser system_u:object_r:default_t:s0   indernet/cert/homeserver.crt
-r--r-----. root certuser system_u:object_r:default_t:s0   indernet/cert/homeserver.key
[root@homeserver /]#

To make dovecot actually load the files I ensured /etc/dovecot/conf.d/10-ssl.conf contains these lines:

ssl=required
ssl_key=</indernet/cert/homeserver.key
ssl_cert=</indernet/cert/homeserver.crt

The problematic part: Dovecot cannot start up, it fails with this error:

dovecot: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 14: ssl_key: Can't open file /indernet/cert/homeserver.key: Permission denied

I tried to modify the certificate's and key's file permissions (this should not be required according to https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/), even to 777 and nothing changes. Someone suggested me it might be SELinux preventing the access and I configured unconfined_u:object_r:default_t:s0 as well as system_u:object_r:default_t:s0 as you can see above. No change.

Now the surprising part: I got very curious and edited /usr/lib/systemd/system/dovecot.service to contain

ExecStart=/bin/strace /usr/sbin/dovecot

and then in /var/log/messages I could see the cert and key getting accessed and loaded. And dovecot works. But when I remove the strace again, I am left with the same problem.

What may be going on here?

Answer 1

The keys cannot be read because SELinux has denied access to them.

To fix the problem, copy (using cp or mv -Z) the keys to a directory where SELinux expects TLS keys and certificates to be stored, i.e. /etc/pki/tls and its subdirectories. The new files will have the correct SELinux contexts if you used cp or mv -Z. Then update the files' locations in your Dovecot configuration.