Dovecot: Can't load private ssl_key: Key is for a different cert than ssl_cert

After upgrading my server today, the mail server Dovecot did not work anymore - fetching mails with IMAP failed with

socket error ([Errno 104] Connection reset by peer)

The server logs said:

dovecot: imap-login: Fatal: Can't load private ssl_key: Key is for a different cert than ssl_cert
dovecot: master: Error: service(imap-login): command startup failed, throttling for 2 secs

The setup had not changed; the Dovecot + Let's Encrypt certificates had been working for over a year.

I found the solution in a forum post: My /etc/dovecot/conf/10-ssl.conf file contained:

ssl_cert = </etc/letsencrypt/live/mail.cweiske.de/fullkeychain.pem

- but using the fullkeychain was apparently wrong; after changing it to fullchain.pem (without the "key") IMAP and POP3 logins worked again.

Written by Christian Weiske.

Comments? Please send an e-mail.