kopano-ical does not work with letsencrypt

  • kopano-ical version kopano-ical-

    /etc/kopano/ical.cfg has:
    ssl_private_key_file = /etc/letsencrypt/live/DELETED/privkey.pem
    ssl_certificate_file = /etc/letsencrypt/live/DELETED/fullchain.pem

    /var/log/kopano/ical.cfg has errors:
    2020-09-14T12:46:43.283589: [kopano-ical|T4189] [error ] ECChannel::HrSetCtx(): cannot open key file /etc/letsencrypt/live/DELETED/privkey.pem: Permission denied
    2020-09-14T12:46:43.283600: [kopano-ical|T4189] [error ] Error loading SSL context, ICALS will be disabled: call failed (80004005)

    Adding kopano:kopano ownership to the SSL files or the complete path to them makes no difference

    Interestingly if I just use 8080 and comment out all SSL it still does not work, I get a “connection refused”, port 8080 is listening and assigned to kopano-ical, firewall port is open and I’ve tried curl, telnet, ssl with correct login, there is also no information in /var/log/kopano/ical.log even on debug level…weird.

  • Remember the permissions of the certificates and keys and try a chmod 777 (privkey.pem cert.pem) and see if that makes a difference. That’s not the ultimate fix to be honest, but just to see if it is a Kopano or a Letsencrypt issue.

  • Hallo @nanathlor ,

    this is a known error (https://help.univention.com/t/kopano-ical-ssl-not-working/11606)

    Give the kopano user corresponding read rights and restart service kopano-ical.

    setfacl -m u:kopano:r  /etc/letsencrypt/live/DELETED/domain.key

    After that kopano-ical should work with Letsencrypt.

    Best regards

  • Most probley the rights are set to : drwx–x— 2 root ssl-cert

    adduser kopano ssl-cert
    And you should be done.

    Postfix, same, adduser postfix ssl-cert
    And others same, just check the default rights in /etc/letsencrypt
    And use the groups thats set.

    I like Manfred its example with setfacl, but thats only one problem.
    Its applied on file, what is the files are rotated again?? ;-)