# Courier-imap no longer working after 10 years

## Akaihiryuu

I'm using self signed certificates...this is a private server and I really don't care about getting signed certificates.  But the problem is, that suddenly stopped working.  I've been using the exact same script for years to regenerate my certificates when they expire.  Only now, for some reason, it stopped working.  My logs are getting spammed with this.

```
Aug  5 20:27:42 triforce imapd-ssl[22245]: ip=[::ffff:192.168.0.2], Certificate is bad
```

This is the script I've been using for years, that works with everything else.

```
#!/bin/bash

SSL="/usr/bin/openssl"

${SSL} genrsa -out /etc/ssl/private/server.key 1024

${SSL} req -new -x509 -days 365 -key /etc/ssl/private/server.key -out /etc/ssl/private/server.crt

cat /etc/ssl/private/server.crt /etc/ssl/private/server.key > /etc/ssl/private/server.pem

chmod 640 /etc/ssl/private/*
```

To use that with courier, I just ln -s /etc/ssl/private/server.pem /etc/courier-imap/imapd.pem

I don't understand why this is suddenly no longer working.  I've had this exact same setup for at least 5 years now.

----------

## NathanZachary

This could be a permissions problem.  I believe that 600 is required.  Based on the error that you're getting, I don't think that it is a problem with it being self-signed (that error is typically "Peer's certificate is not signed by a trusted authority").

----------

## Akaihiryuu

Just checked that, permissions seem to be correct.  I'm at a complete loss.  Still getting the same error spammed in my logs right after the server starts.  The certificates are working for everything else (including Apache).  I do have to accept self signed certificates, but I'm used to doing that.

```
drwx------ 2 root root  4096 Aug  5 20:16 private

-rw------- 1 root root 1074 Aug  5 22:31 server.crt

-rw------- 1 root root  887 Aug  5 22:31 server.key

-rw------- 1 root root 1961 Aug  5 22:31 server.pem

lrwxrwxrwx 1 root root    25 Aug  5 20:30 imapd.pem -> ../ssl/private/server.pem
```

----------

## mike155

A wild guess:

Look at https://ispltd.org/server_guides:ssl:courier-imap, section "Certificate Errors" 

They say that a newline and a pseudo-random key must be added to the PEM file.

----------

## Akaihiryuu

Ok, this is odd.  I changed the permissions of the private folder to this, and it started working.  After that, I changed everything back, restarted courier again, and it's still working.  Now I'm completely confused, but at least it's working.  But yeah, I checked that exact site several times for possible solutions without finding anything useful, before coming here.

```
drwxr-xr-x 2 root root  4096 Aug  5 20:16 private
```

I can understand permissions problems.  But courier runs as root anyway...what really confuses me is it's still working, after I changed the permissions back to what they were originally, when I was getting "certificate is bad".  I first discovered this issue because I was missing 2 weeks worth of cron emails.  I suddenly just got all my missing emails.

----------

## figueroa

See my post in the following thread:

https://forums.gentoo.org/viewtopic-t-1104108-highlight-gendh.html

I cannot tell a lie. On line 35 of my local mkimapdcert, I gave myself 3650 days. I'm now a few months into my second 10 years stretch.

----------

