DH parameters error (message) via update.php

Discussion in 'Installation/Configuration' started by Richard Foley, Aug 29, 2019.

  1. Richard Foley

    Richard Foley Member

    I updated my systems from debian 9 (stretch) to debian 10 (buster), which was *almost* painless. When I then updated ispConfig3
    Code:
    php -q update.php
    I saw the follwoing "DH parameters" message. This is just FYI, as when I run the update again, the error disappears.

    Code:
    Reconfigure Services? (yes,no,selected) [yes]:
    
    Configuring Postfix
    Configuring Dovecot
    Creating new DHParams file, this takes several minutes. Do not interrupt the script.
    142+0 records in
    142+0 records out
    142 bytes copied, 0.000529595 s, 268 kB/s
    unable to load DH parameters
    3072366336:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
    3072366336:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=DHparams
    Configuring Mailman
    
    I have other issues with this upgrade, but will create separate threads where relevant. Thanks for all your great work!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's the output of the command to create the DH params file which is required for dovecot on Debian 10. Seems as if something is wrong with your OpenSSL setup when such a basic command fails.

    openssl dhparam -out /etc/dovecot/dh.pem 2048
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to delete the file and create it again with the above command.
     
    Richard Foley likes this.
  4. Richard Foley

    Richard Foley Member

    did that, everything seems to be running smoothly, for now...
    Thanks Till!
     
  5. Jemt

    Jemt Member HowtoForge Supporter

    For the record, I was having the same problem on Debian 10 Buster. Till's solution solved the problem.
    The server in question was initially based on Debian 7, and has since been upgraded to Debian 8, Debian 9, and now Debian 10. Perhaps the problem is related to the upgrade procedures.
     
    Last edited: Feb 25, 2020
  6. Gray Consulting

    Gray Consulting Member HowtoForge Supporter

    Thanks Till -
    Same issue popped up for us - ubuntu 20.04 / php 7.4 / ispconfig 3.2
    Solution worked perfectly, although I had to build a longer key of 4096 bits before dovecot was happy.
    (Still looking for that tip jar, Till :) ... )
     
  7. Steini86

    Steini86 Active Member

    That works, but is deprecated. For intermediate systems one should use these DH parameters. See: https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
    You can get them for example via:
    Code:
    curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/dovecot/dh.pem
    (Modern systems with only TLS1.3 do not need this parameters)
     
    Jemt likes this.

Share This Page