Kopano 8.6.81.475-0+86.1 fails to load symlinked ssl certs on Ubuntu 18.04

Hey,

I’ve upgraded my server to 18.04 (coming from 16.04) yesterday an therefore had to upgrade kopano, too.
After the upgrade and adjustment of my kopano configs to follow the new listen syntax my server refused to load my certificates which are symlinked to the letsencrypt folders (letsencrypt itself symlinks certs, so that’s just how it is).
It started working once I pointed kopano directly to the real file.
If i had to guess, I’d guess it’s related to switching to OpenSSH 1.1.

I’ve worked around that issue by copying the actual certs to /etc/kopano/ssl but I’d prefer not having to do something like.

Regards,

Stephan

@reichi said in Kopano 8.6.81.475-0+86.1 fails to load symlinked ssl certs on Ubuntu 18.04:

refused to load my certificates which are symlinked

That claim has been made before in https://forum.kopano.io/topic/1763/error-connecting-to-imaps-via-gateway-core-8-6-81-416 but was not reproducible. My guess still would be that the kopano user is not allowed to read all directories that lead to the symlinks target.

While I really wonder how that happened on a dist-upgrade (it worked fine, before) you’re actually right:

root@alf:~# sudo -u kopano -H cat /etc/ssl/certs/reichholf.net.combined.pem
cat: /etc/ssl/certs/reichholf.net.combined.pem: Permission denied

thx for the (obvious) hint…

Another Question: Did Kopano change the way it starts? I wonder if certs have been read as root before switching to the user-context before and that changed now? That’s what pretty much all other services like apache or postfix do (and why they can read the certs).

@reichi said in Kopano 8.6.81.475-0+86.1 fails to load symlinked ssl certs on Ubuntu 18.04:

Did Kopano change the way it starts?

Not recently

Yeah it did change, switching to the unprivileged user slightly earlier than what it used to be. [KC-1043]

That explains my issues. Thx. I’ve resolved this with a cronjob. I would prefer not having to copy and chown ssl certs “all over the place” though. But at least it’s working fine now.