RE: ee key too small

[Marek Greško via dovecot]

   Hello,
   my private key is 4096 bit.
   I added also ca_file = /etc/pki/tls/certs/cacert.pem, but it did not help
   either.
   Marek
   stvrtok 20. novembra 2025, 16:27, Aki Tuomi <aki.tu...@open-xchange.com>
   napisal/a:

     Hi!

     Your private key must be large enough.

     Aki

       On 20/11/2025 17:07 EET Marek Gresko via dovecot
       <[1]dovecot@dovecot.org> wrote:


       I tried even with root ca and the same result.

       Marek





       Odoslane pomocou bezpecneho emailu Proton Mail.

       stvrtok 20. novembra 2025, 16:04, Marek Gresko
       <[2]marek.gre...@protonmail.com> napisal/a:


         Including root CA?

         Marek





         Odoslane pomocou bezpecneho emailu Proton Mail.


         stvrtok 20. novembra 2025, 15:51, Marc [3]m...@f1-outsourcing.eu
         napisal/a:


           You have to put full chain in the cert


             I forgot to mention the certificate is signed by my private root
             certification authority. Could this be related? Should the
             authority
             certificate be configured somewhere in dovecot?

             Thanks

             Marek

             stvrtok 20. novembra 2025, 15:42, Marek Gresko
             [4]marek.gre...@protonmail.com napisal/a:


               Hello,

               after upgrading from Fedora 42 to Fedora 43 the dovecot got
               upgraded
               to version 2.4.

               I tweaked the configuration, dovecot starts, but when client
               is trying
               to connect to imap, I get:

               imap-login: Error: Failed to initialize SSL connection:
               Couldn't
               initialize SSL server context: Can't load SSL certificate
               (ssl_server_cert_file setting): error:0A00018F:SSL routines
               ::ee key too small:

               I tried replacing 2048 bits RSA with 4096 bits RSA, I tried to
               not use
               the dh.pem file (I read somewhere it is not neede any more), I
               deleted
               /var/lib/dovecot/ssl-parameters.dat file, but still the same
               error.

               Where should I look next?

               My ssl config:

               ssl = required

               #ssl_server_dh_file = /etc/dovecot/dh.pem

               ssl_server {
               #ssl_server_dh_file = /etc/dovecot/dh.pem
               ssl_server_cert_file = /somewhere/dovecot.pem
               ssl_server_key_file = /somewhere/dovecot.pem
               prefer_ciphers = server
               }

               ssl_min_protocol = TLSv1.2

               ssl_cipher_list = PROFILE=SYSTEM

               #ssl_verify_client_cert = no
               #ssl_prefer_server_ciphers = no

               Thanks

               Marek

       _______________________________________________
       dovecot mailing list -- [5]dovecot@dovecot.org
       To unsubscribe send an email to [6]dovecot-le...@dovecot.org

References

   Visible links
   1. mailto:dovecot@dovecot.org
   2. mailto:marek.gre...@protonmail.com
   3. mailto:m...@f1-outsourcing.eu
   4. mailto:marek.gre...@protonmail.com
   5. mailto:dovecot@dovecot.org
   6. mailto:dovecot-le...@dovecot.org

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org