• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Please beaware of a breaking change in the REST API on the next Plesk release (18.0.62).
    Starting from Plesk Obsidian 18.0.62, requests to REST API containing the Content-Type header with a media-type directive other than “application/json” will result in the HTTP “415 Unsupported Media Type” client error response code. Read more here

pop3d.pem no start line

H

Hans_Meiser

New Pleskian
Hello,

I get the following error message in my mail logs:

/usr/share/courier-imap/pop3d.pem: error:0906D06C:pEM routines:pEM_read_bio:no start line

This happens even with the "Plesk-Default-Cert" in pop3d.pem.

I believe I tried every suggestion from the internet...text block positions, user rights, some modifications in the confs according to the Plesk-how to's etc.

My Configurations are the recommended ones from the Plesk knowledge base.

I must say that my client is Outlook 2003 which is rather old.

Does someone has another idea? My client does not send any certificate.
 
Most probably there are Windows EOL symbols in certificate. Try to check it with

# dos2unix /usr/share/courier-imap/pop3d.pem
 
Thank you, but double checked with the same result...

couriertls: /usr/share/courier-imap/pop3d.pem: error:0906D06C:pEM routines:pEM_read_bio:no start line
 
Hi Hans_Meiser,

Hans_Meiser said:
This happens even with the "Plesk-Default-Cert" in pop3d.pem.
Click to expand...
Did you change the content from the file "/usr/share/courier-imap/pop3d.pem" ? With which software did you edit the file "/usr/share/courier-imap/pop3d.pem" ?

Hans_Meiser said:
I believe I tried every suggestion from the internet...text block positions, user rights, some modifications in the confs according to the Plesk-how to's etc.

My Configurations are the recommended ones from the Plesk knowledge base.
Click to expand...
Could you please name the How-To's you used? s?
Could you please name the KB - articles, that you followed to configure the certificates or it's changes?
 
Last edited by a moderator:
Hi Hans_Meiser,

even if you maybe double and tribble checked, i recommend to use a "pure" text-editor, when editing certificates to merge them. As you can see in your case, there are certificates issues, which only result from incorrect pastings, or additional signs, or even bad converts.

I would as well recommend to use both paths
Code: 
/usr/share/imapd.pem 
/usr/share/pop3d.pem
AND
Code: 
/usr/share/courier-imap/imapd.pem
/usr/share/courier-imap/pop3d.pem
for your certificates, when you save them.
 
Hi,

I created a self singed cert and only edited it with cat (merging the Openssl-outputs)

cat /home/xxx/tmp/cert.crt > /usr/share/courier-imap/pop3d.pem
cat /home/xxx/tmp/cert-stripped.key >> /usr/share/courier-imap/pop3d.pem

cat /home/xxx/tmp/cert.crt > /usr/share/courier-imap/imapd.pem
cat /home/xxx/tmp/cert-stripped.key >> /usr/share/courier-imap/imapd.pem

cat /home/xxx/tmp/cert.crt > /usr/share/pop3d.pem
cat /home/xxx/tmp/cert-stripped.key >> /usr/share/pop3d.pem

cat /home/xxx/tmp/cert.crt > /usr/share/imapd.pem
cat /home/xxx/tmp/cert-stripped.key >> /usr/share/imapd.pem

...with the same result.

By the way, I would not believe that the Plsek defualt cert comes damaged too.

...strange...

but when I use a default cert from an older server the message disapears.

Seems it has to do with the kind of cert.

...double strange...

the older cert/pem bundle has:

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----

...and the key seems to be shorter...may be an older format is involved too.
 
Last edited:
SOLVED:

The all in one-error message "no start line" is misleading.
I hate those messages. They can cause hours, days and weeks of investigations.

My system needs a dhparam section in the pop3d.pem

This is not metioned in the Paralleles Plesk KB...

http://kb.odin.com/en/1062

I'm not sure, but I believe the Plesk default SSL-configuration in /usr/share/courier-imap/ has no dhparam section too.
So this could be a serious configuration- and documentation bug (could lead to a MITM vulnerability).
I took advantage of some PCI complience optimisations. May be they are involved too.

PS:
openssl dhparam -out mysexyserver.com_dhparam.pem 4096
 
Last edited:
You must log in or register to reply here.

Similar threads

Quinten
Resolved Reverse Proxy server (Nginx) won't start after renewing a domains certificate
Replies
7
Views
6K
Quinten
Quinten
S
Issue Problems with Plesk
Replies
5
Views
1K
Peter Debik
P
C
Issue 502 Bad Gateway - after applying updates
Replies
2
Views
2K
CChris
C
I
Question Problems with Email certificate renewal - seems linked to changes in SNI support
Replies
0
Views
2K
iainh
I
P
Issue Roundcube stops working intermittently
Replies
12
Views
5K
Bitpalast
Bitpalast
Back
Top