Topic: Does iredadmin really need access to TLS privkey?
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version: 1.6.1
- Deployed with iRedMail Easy or the downloadable installer? D/L install
- Linux/BSD distribution name and version: Rocky Linux release 8.6 (Green Obsidian)
- Store mail accounts in which backend: LDAP
- Web server (Apache or Nginx): NGINX
- Manage mail accounts with iRedAdmin-Pro? YES, iRedAdmin-Pro-LDAP-5.3
- Error message:
Sep 15 00:34:14 mail.domain.com iredadmin: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 49: ssl_key: Can't open file /etc/pki/tls/private/iRedMail.key: Permission denied
I'm using LetsEncrypt certs, symlinked like so:
[root@mail:~#] namei -vm /etc/pki/tls/private/iRedMail.key f: /etc/pki/tls/private/iRedMail.key dr-xr-xr-x / drwxr-xr-x etc drwxr-xr-x pki drwxr-xr-x tls drwxr-xr-x private lrwxrwxrwx iRedMail.key -> /etc/letsencrypt/live/domain.com/privkey.pem dr-xr-xr-x / drwxr-xr-x etc drwxr-xr-x letsencrypt drwxr-xr-x live drwxr-xr-x domain.com lrwxrwxrwx privkey.pem -> ../../archive/domain.com/privkey7.pem drwxr-xr-x .. drwxr-xr-x .. drwxr-xr-x archive drwxr-xr-x domain.com -rw------- privkey7.pem
We have used it this way for many months (years?), although it has been a couple of months since I logged into the Pro panel. But now, I can no longer log in, although the credentials work for webmail login
iRedAdmin-Pro login _does_ work if I modify permissions on 'privkey7.pem' to 0644 (currently 0600, as they should be). Why does iredadmin user seem to need read access to the privkey, when postfix/dovecot/nginx/etc work fine as-is? I'm guessing it indicates a different config error, but i'm stumped on what to look for...
----Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.