Bug 1836522

Summary: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:1418708B:SSL routines:ssl_do_config:unknown command
Product: Red Hat Enterprise Linux 8 Reporter: Prem Słaby <przemub>
Component: dovecotAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.4   
Target Milestone: rc   
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-23 10:51:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Prem Słaby 2020-05-16 14:38:56 UTC
Description of problem: STARTTLS command issued to IMAP server fails with the following logs:

May 16 15:30:44 prem dovecot[2664]: master: Dovecot v2.3.8 (9df20d2db) starting up for imap, pop3, lmtp
May 16 15:30:44 prem postfix/master[2691]: daemon started -- version 3.3.1, configuration /etc/postfix
May 16 15:30:48 prem dovecot[2690]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:1418708B:SSL routines:ssl_do_config:unknown command: section=system_default, cmd=@SECLEVEL, arg=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8: user=<>, rip=192.168.1.100, lip=192.168.1.202, session=<m+6gxsSlCMLAqAFk>
May 16 15:30:48 prem dovecot[2690]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 3 secs): user=<>, rip=192.168.1.100, lip=192.168.1.202, session=<m+6gxsSlCMLAqAFk>


Version-Release number of selected component (if applicable): 2.3.8 (9df20d2db)


How reproducible: I am not sure. I use LetsEncrypt issued certificate.


Steps to Reproduce:
Changes to doveconf as output by dovecot -n:
# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf
# OS: Linux 4.18.0-193.1.2.el8_2.x86_64 x86_64 Red Hat Enterprise Linux release 8.2 (Ootpa) 
# Hostname: prem.moe
first_valid_uid = 1000
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  driver = pam
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl = required
ssl_cert = </etc/letsencrypt/live/1mi.pl/fullchain.pem
ssl_cipher_list = PROFILE=SYSTEM
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  driver = passwd
}

Actual results:
SSL initialization fails and so the login.

Expected results:
SSL initializes.

Comment 1 Prem Słaby 2020-05-16 14:51:12 UTC
This is a regression - yum downgrade dovecot-2.2.36-10.el8.x86_64 fixes the issue.

Comment 2 Michal Hlavinka 2020-09-23 10:51:49 UTC

*** This bug has been marked as a duplicate of bug 1847697 ***