Author Topic: Password Plugin can't read fullchain.pem due to permission problems (Read 1518 times)

StorWalle · « **on:** January 04, 2023, 09:41:41 AM »

Hi!

After upgrading to PHP 8.1 on my server I discovered that the Password plugin did not work as supposed. I have triple and quadruple checked the config file and it is as supposed. I have checked the permissions of certbot files and directories, and they seem just fine. The full chain.pem file is readable by anyone.

The error message of Roundcube log:
PHP Error: Password plugin: Failed to execute command: doveadm pw -s 'CRAM-MD5'. Error: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 14: ssl_cert: Can't open file /etc/letsencrypt/live/my.cert.file.directory/fullchain.pem: Permission denied in /var/www/my.roundcube.directory/plugins/password/password.php on line 747 (POST /?_task=settings&_action=plugin.password-save)

Everything works just fine until I check the Dovecot users file. Password plugin has been able to take out {CRAM-MD5}PASSWORDHASH but hasn't put a new one in for the new password.

Anyone that has experienced the same? Any thoughts or knowledge on a solution? It has been working just fine under PHP 7.4 earlier, and trying to switch back to PHP 7.4 did not change the behavior.

Kind regards
Michael

evenmoreconfused · « **Reply #1 on:** April 18, 2023, 10:53:01 PM »

Pretty sure this is caused by known bug in dovecot that exists in versions 2.3.11 thru .16, fixed in 2.3.17.

Basically doveadm pw fails because it insists on accessing all files mentioned in the config, even though it’s not going to use them. One such file is the private key, which is set 600 root root, but RoundCube runs the password change as the webserver.

Paul

evenmoreconfused · « **Reply #2 on:** April 18, 2023, 11:02:38 PM »

You can read more about this in the dovecot release notes for 2.3.17 (https://github.com/dovecot/core/blob/2.3.20/NEWS), and at

https://www.dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/26R45LCIB3T3YJZJWGFCNLNWXQDHNZUP/

https://community.letsencrypt.org/t/changing-permissions-for-pem-files/19656

https://serverfault.com/questions/1118026/configuring-roundcube-password-plugin-with-postfix-dovecot

Author Topic: Password Plugin can't read fullchain.pem due to permission problems (Read 1518 times)

StorWalle

Password Plugin can't read fullchain.pem due to permission problems

evenmoreconfused

Re: Password Plugin can't read fullchain.pem due to permission problems

evenmoreconfused

Re: Password Plugin can't read fullchain.pem due to permission problems