Description of problem: After a "yum update" which updates dovecot, dovecot fails to restart and refuses to start manually because it can not access /usr/share/ssl/certs/dovecot.pem, which had been a symbolic link to the real certificate file. Version-Release number of selected component (if applicable): dovecot-1.0-0.beta8.2.fc5 (and recent earlier updates. How reproducible: Very... Has happened with the last couple of dovecot updates on 4 different systems. Steps to Reproduce: 1. Create a real certificate pair foo.crt/foo.key in /usr/share/ssl/{certs/foo.crt,private/foo.key}, CA signed or selfsign as desired. 2. Create symlink from foo.crt to dovecot.pem in .../certs. 3. Create symlink from foo.key to dovecot.pem in .../private. 3. Configured ssl cert paths (dovecot.pem) in /etc/dovecot.conf 4. Update dovecot using yum 5. Note: dovecot refuses to start, unable to open cert file .../certs/dovecot.pem. 6. Note: .../certs/dovecot.pem is missing (only symlink, real cert file still present). 7. Note: .../private/dovecot.pem is still present (undamaged). Actual results: Symlink to the cert file is deleted by yum update process. Dovecot refuses to {re}start. Dovecot in non-functional after an update until certs are repaired. Expected results: Existing cert and key files or symlinks should NEVER be tampered with (mine are actual, real, signed X.509 certificates). Dovecot should be functional after an update. Additional info:
Are you sure your symlinks did not end up under /etc/pki/, the new default location for ssl cert stuff? I could tamper with the conffile to fix the location of the files if they are moved. I don't quite like the idea of leaving everything as it is, letting systems to gradually rot over upgrades. All solutions seem to create complex failure scenarios. Not touching certificates causes default setups to get screwed. Moving them and tampering with conffiles may lead to non-working setup or confused admin (where did my certs go). Not touching certificates nor conffile leaves things in deprecated locations also by default. Generating certificate in new location if it's not there causes confusion again (why did the certificate change? which is the right one), etc.... I don't know.
Closing, been in NEEDINFO for too long.