Ubuntu
dovecot package

dovecot-common postinst fails for multiple ssl certs

Bug #182086 reported by Matt LaPlante on 2008-01-11

6

Affects		Status	Importance	Assigned to	Milestone
	dovecot (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

Binary package hint: dovecot-common

The post-inst script for dovecot does not take into account having multiple ssl certs in the configuration. If there are, the script fails as follows:

***********************************************************
Unpacking replacement dovecot-common ...
Setting up dovecot-common (1:1.0.5-1ubuntu2.1) ...
[: 75: /etc/ssl/certs/cert2.crt: unexpected operator
Creating generic self-signed certificate: /etc/ssl/certs/cert1.crt
/etc/ssl/certs/cert2.crt
/etc/ssl/certs/cert3.crt
(replace with hand-crafted or authorized one if needed).
Warning : Bad SSL config, can't generate certificate.
[: 75: /etc/ssl/certs/cert2.crt: unexpected operator

Setting up dovecot-pop3d (1:1.0.5-1ubuntu2.1) ...
* Restarting IMAP/POP3 mail server dovecot [ OK ]

Setting up dovecot-imapd (1:1.0.5-1ubuntu2.1) ...
* Restarting IMAP/POP3 mail server dovecot

************************************************************

This appears to be the fault of the following grep not accounting for multiple occurances in postinst:

  ## SSL Certs
  # Certs and key file
  SSL_CERT=$( (grep "ssl_cert_file" /etc/dovecot/dovecot.conf || echo '/etc/ssl/certs/dovecot.pem') | cut -d'=' -f2)
  SSL_KEY=$( (grep "ssl_key_file" /etc/dovecot/dovecot.conf || echo '/etc/ssl/private/dovecot.pem') | cut -d'=' -f2)

I would recommend adding -m 1 to the grep to limit the number of hits returned to one. This wouldn't help if a random one of multiple certs was missing, but it would avoid breakage and serve the same purpose it was intended to serve now.

  ## SSL Certs
  # Certs and key file
  SSL_CERT=$( (grep -m 1 "ssl_cert_file" /etc/dovecot/dovecot.conf || echo '/etc/ssl/certs/dovecot.pem') | cut -d'=' -f2)
  SSL_KEY=$( (grep -m 1 "ssl_key_file" /etc/dovecot/dovecot.conf || echo '/etc/ssl/private/dovecot.pem') | cut -d'=' -f2)

Tags:

Related branches

lp:ubuntu/lucid/dovecot

Daniel Hahler (blueyed) on 2008-01-12

Changed in dovecot:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Nicolas Valcarcel (nvalcarcel) wrote on 2008-01-24:

#1

dovecot_1.0.10-1ubuntu3.debdiff Edit (1.3 KiB, text/plain)

Attaching debdiff with the suggestions.

Revision history for this message

Mathias Gug (mathiaz) wrote on 2008-01-29:

#2

Thanks for your debdiff.

Considering what is done with the SSL_CERT and SSL_KEY variables in the postinst script, could it possible to modify the postinst script to fully support multiple certificates defined in the configuration file ?
Instead of limiting the output of grep, add loop in the script.

Revision history for this message

Nicolas Valcarcel (nvalcarcel) wrote on 2008-01-29:

#3

Ok, working on it.

Changed in dovecot:
assignee:	nobody → nvalcarcel
status:	Triaged → In Progress

Revision history for this message

Nicolas Valcarcel (nvalcarcel) wrote on 2008-01-29:

#4

Matt: can you paste your certificates part of the dovecot.conf file please?

Revision history for this message

Nicolas Valcarcel (nvalcarcel) wrote on 2008-01-29:

#5

dovecot_1.0.10-1ubuntu3.debdiff Edit (3.3 KiB, text/plain)

Done, it will only work if SSL_CERT and SSL_KEY have the cert-key pairs on the same order (i mean SSL_CERT=cert1 cert2 cert3, SSL_KEY=key1 key2 key3, but not with SSL_CERT=cert1 cert2 cert3, SSL_KEY=key3 key2 key1, but i don't think that ever happens). Attaching debdiff for revision

Revision history for this message

Matt LaPlante (cybrmatt) wrote on 2008-01-30:

#6

The problem I see here is that the new script will wind up creating X number of certs with the same domain name... a scenario I'm not sure one would see in practice. My config uses separate domains for the imap and pop services (and therefore separate certs), which is why I hit this bug in the first place. I personally think dealing with this level of customization may be out of the scope of what the postinst needs to handle.

Revision history for this message

Nicolas Valcarcel (nvalcarcel) wrote on 2008-01-30:

#7

That's why i want to check your dovecot.conf, to check which is the syntax of those multiple ssl certs.

Revision history for this message

Mathias Gug (mathiaz) wrote on 2008-01-31:

#8

Matt has good point. I think it should be possible to generate one certificate/key files on first installation, but register all the certificates and key files in ucf afterwards.

Revision history for this message

Nicolas Valcarcel (nvalcarcel) wrote on 2008-02-01:

#9

But the script is written to try to create it if the key is missing, but if the 2 files are in there not to make anything.

Revision history for this message

Mathias Gug (mathiaz) wrote on 2008-03-31:

#10

@Nicolas, could you update your first debdiff (the one that uses -m to limit the output of grep) wrt to the current version of dovecot ?

Changed in dovecot:
status:	In Progress → Incomplete

Revision history for this message

Nicolas Valcarcel (nvalcarcel) wrote on 2008-03-31:

#11

dovecot_1.0.10-1ubuntu5.debdiff Edit (1.3 KiB, text/plain)

Done.

Changed in dovecot:
status:	Incomplete → Confirmed
assignee:	nvalcarcel → nobody

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-03-31:

#12

This bug was fixed in the package dovecot - 1:1.0.10-1ubuntu5

---------------
dovecot (1:1.0.10-1ubuntu5) hardy; urgency=low

* Fixed error with multiple ssl certs on postinst limiting the grep result
to 1 cert. Thanks Matt LaPlante for the suggestions (LP: #182086)

-- Nicolas Valcarcel <email address hidden> Mon, 31 Mar 2008 12:22:34 -0500

Changed in dovecot:
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.