Imaps cyrus unable to get certificate from after 15.2-15.5 upgrade

Hello

2023-12-24T00:58:52.395770+01:00 server imaps[2172]: unable to get certificate from ‘/etc/ssl/certs/cyrus.pem’
2023-12-24T00:58:52.396852+01:00 server imaps[2172]: TLS server engine: cannot load cert/key data
2023-12-24T00:58:52.396953+01:00 server imaps[2172]: error initializing TLS
2023-12-24T00:58:52.397001+01:00 server imaps[2172]: Fatal error: tls_init() failed
2023-12-24T00:58:52.397976+01:00 server master[2160]: process 2172 exited, status 75
2023-12-24T00:58:52.398074+01:00 server master[2160]: service imaps pid 2172 in BUSY state: terminated abnormally

I’m getting this with cyrus-imap after upgrade to 15.5 version. There few things were not working after that, but i managed to fix that, but can’t find why he’s doing that.

Imapd runs as cyrus, i can su cyrus and cat this file without problem.
I tried varius permissions, moving files to different folder etc. Even if i delete file, error is this same, so looks for some reason process has no access to it

Thanks

Show systemd service definition for your program. Replace "whatever’ with proper name.

systemctl cat whatever.service

Direct upgrade 15.2 → 15.5 is not supported.
It is better to perform clean install in that case.

I know it’s not supported, but they removed in 15.3 cyrys imap and it removed completly my email sever.
Update went quite good except this and few other things that i already fixed.

Why do you show text data as screenshot? It is badly readable and cannot be commented if needed. How difficult is it to copy and paste output? Use preformatted text (button </>) when pasting computer output.

It’s quite possible that certificate is using outdated algorithms that are disabled by default. Show

opensl x509 -noout -text -in /etc/ssl/certs/cyrus.pem

Sorry, i had no access to copy text directy. Here’s whitt modified fields

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ba:00:e7:4c:d6:00:15:0e
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = PL, ST = city, O = , OU = , CN = ny name, emailAddress =
Validity
Not Before: Oct 12 11:12:37 2007 GMT
Not After : Oct 11 11:12:37 2008 GMT
Subject: C = PL, ST = xxxx, O = , OU = , CN = my name, emailAddress =
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:ae:00:c7:00:94:d3:1b:59:f0:c6:e2:9e:51:bd:
d6:fe:a3:d2:01:e9:09:cb:03:de:a0:a8:39:04:81:
ad:70:e4:a0:2d:97:3b:d8:4b:75:d6:46:dd:20:15:
3c:0b:43:0c:7a:35:be:02:99:70:97:98:dc:5b:ce:
2c:9c:d3:00:55:88:91:ae:1e:d5:0b:a1:3e:0e:ec:
ff:7f:96:1e:41:d0:c7:ac:f1:5b:3f:bc:28:1b:c8:
73:c7:01:b2:04:5f:01:bc:56:8a:5f:0f:7b:ac:00:
ff:56:79:8a:d0:56:bb:4d:92:00:5b:9c:19:8b:2e:
02:03:f1:6d:32:28:ac:05:43
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BC:EC:4F:12:00:BF:99:A9:00:35:13:35:96:95:C9:7B:A3:3D:A8:30
X509v3 Authority Key Identifier:
keyid:93:8D:BE:E4:D7:82:62:A4:F3:17:A8:2A:5B:E2:67:80:57:87:72:52

Signature Algorithm: sha1WithRSAEncryption
     78:99:c7:34:09:e7:74:08:3a:e7:7b:e8:4e:31:b9:57:2f:14:
     4b:2e:40:00:6c:04:67:80:1f:11:52:0e:d5:9b:3b:87:e9:a0:
     07:d4:8e:35:02:10:00:7c:ad:75:91:b5:73:47:db:0a:2c:8c:
     b7:8c:40:2f:59:92:66:0e:18:30:2a:f2:01:bb:de:98:48:70:
     63:9b:44:8f:9d:55:32:23:70:31:60:b8:00:34:c2:7e:88:db:
     6d:35:fb:58:a9:8a:dc:6d:db:95:f0:0f:df:2b:7c:bf:d9:2a:
     00:8b:0f:63:e2:93:ac:b8:34:de:4b:94:05:44:00:a3:f7:96:
     86:fb

In meantime i recreated certificates to be sure that’s not issue with this:

openssl req -new -nodes -out req.pem -keyout key.pem
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 999

and that’s no issue

Could you please post computer text as preformatted.

Your certificate is located in the location for CA certificates, but it is prohibited to be used as CA.

Looks i recreated certificates again and now it works.
Thanks