warning: cannot get RSA certificate from file "/home/USER/anonaddy/TLS.key": disabling TLS support

[jediazmurillo]

Support guidelines

• [X] I've read the support guidelines

I've found a bug and checked that ...

• [X] ... the documentation does not mention anything about my problem
• [X] ... there are no open or closed issues that are related to my problem

Description

Can not enable TLS on Postfix

Expected behaviour

  - "POSTFIX_SMTPD_TLS=true"
  - "POSTFIX_SMTP_TLS=true"
  - "POSTFIX_SMTPD_TLS_CERT_FILE=/etc/letsencrypt/live/domain.xyz/fullchain.pem"
  - "POSTFIX_SMTPD_TLS_KEY_FILE=/etc/letsencrypt/live/domain.xyz/privkey.pem"

Should Enable TLS

Actual behaviour

Getting 500's on webapp

sudo docker compose logs -f gives the following:

addy_nginx | 111.111.111.111 - - [19/Dec/2023:06:29:44 +0000] "GET /captcha/mini?9ntdf97c HTTP/2.0" 200 5776 "https://websiteedited.xyz/register" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" "-" addy | Dec 19 00:29:53 mail postfix/smtpd[1072]: warning: cannot get RSA certificate from file "/etc/letsencrypt/live/domain.xyz/fullchain.pem": disabling TLS support addy | Dec 19 00:29:53 mail postfix/smtpd[1072]: warning: TLS library problem: error:80000002:system library::No such file or directory:crypto/bio/bss_file.c:297:calling fopen(/etc/letsencrypt/live/domain.xyz/fullchain.pem, r): addy | Dec 19 00:29:53 mail postfix/smtpd[1072]: warning: TLS library problem: error:10080002:BIO routines::system lib:crypto/bio/bss_file.c:300: addy | Dec 19 00:29:53 mail postfix/smtpd[1072]: warning: TLS library problem: error:0A080002:SSL routines::system lib:ssl/ssl_rsa.c:448:

(IP and website edited for privacy)

Steps to reproduce

Using the information provided using default settings on fresh vps

Docker info

Client: Docker Engine - Community
 Version:    24.0.7
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.21.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 4
  Running: 4
  Paused: 0
  Stopped: 0
 Images: 4
 Server Version: 24.0.7
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 3dd1e886e55dd695541fdcd67420c2888645a495
 runc version: v1.1.10-0-g18a0cb0
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.15.0-1045-oracle
 Operating System: Ubuntu 22.04.3 LTS
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 23.43GiB
 Name: examplewebsite-xyz
 ID: e1a1a3e6-8192-4f96-b323-1045d0497b55
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Docker Compose config

name: addy

services:
  db:
    image: mariadb:10.5
    container_name: addy_db
    command:
      - "mysqld"
      - "--character-set-server=utf8mb4"
      - "--collation-server=utf8mb4_unicode_ci"
    volumes:
      - "./db:/var/lib/mysql"
    environment:
      - "MYSQL_ALLOW_EMPTY_PASSWORD=yes"
      - "MYSQL_DATABASE=anonaddy"
      - "MYSQL_USER=anonaddy"
      - "MYSQL_PASSWORD=11111111111111"
    restart: always

  redis:
    image: redis:4.0-alpine
    container_name: addy_redis
    restart: always

  addy:
    image: anonaddy/anonaddy:latest
    container_name: addy
    depends_on:
      - db
      - redis
    ports:
      - target: 25
        published: 25
        protocol: tcp
      - target: 8000
        published: 8000
        protocol: tcp
    volumes:
      - "./data:/data"
    env_file:
      - "./addy.env"
    environment:
      - "TZ=America/Monterrey"
      - "PUID=1000"
      - "PGID=1000"
      - "REAL_IP_FROM=0.0.0.0/32"
      - "REAL_IP_HEADER=X-Forwarded-For"
      - "LOG_IP_VAR=remote_addr"
      - "DB_HOST=db"
      - "LISTEN_IPV6=false"
      - "MEMORY_LIMIT=1024M"
      - "UPLOAD_MAX_SIZE=128M"
      - "OPCACHE_MEMSIZE=128"
      - "DB_DATABASE=anonaddy"
      - "DB_USERNAME=anonaddy"
      - "DB_PASSWORD=111111111111111111"
      - "APP_KEY=base64:HBtLNVmXbqky111111111111111111113f7JEw3Dk0k="
      - "APP_DEBUG_false"
      - "APP_URL=http://127.0.0.1:8000"
      - "ANONADDY_ADMIN_USERNAME=happyuser"
      - "ANONADDY_DOMAIN=domainexample.xyz"
      - "ANONADDY_ALL_DOMANDS=domainexample.xyz"
      - "ANONADDY_HOSTNAME=mail.domainexample.xyz"
      - "ANONADDY_DNS_RESOLVER=127.0.0.1"
      - "ANONADDY_SECRET=lksjfl111111111111111111111111kjflsakfjoi23u3"
      - "ANONADDY_DKIM_SIGNING_KEY=/data/dkim/domainexample.xyz.private"
      - "ANONADDY_RETURN_PATH=bounces@domainexample.xyz"
      - "MAIL_FROM_NAME=domainexample.xyz"
      - "MAIL_FROM_ADDRESS=addy@domainexample.xyz"
      - "ANONADDY_BANDWIDTH_LIMIT=104857600"
      - "POSTFIX_DEBUG=false"
      - "POSTFIX_SMTPD_TLS=true"
      - "POSTFIX_SMTP_TLS=true"
      - "POSTFIX_SMTPD_TLS_CERT_FILE=/etc/letsencrypt/live/domainexample.xyz/fullchain.pem"
      - "POSTFIX_SMTPD_TLS_KEY_FILE=/etc/letsencrypt/live/domainexample.xyz/privkey.pem"
      - "RSPAMD_ENABLE=true"
      - "RSPAMD_WEB_PASSWORD=1111111111111111"
    restart: always
  nginx:
    image: nginx:1.25.3-alpine
    container_name: addy_nginx
    restart: unless-stopped
    ports:
      - '443:443'
    volumes:
      - /etc/ssl/dhparam.pem:/etc/ssl/dhparam.pem
      - ./nginx/templates:/etc/nginx/templates
      - /etc/letsencrypt:/etc/letsencrypt
    depends_on:
      - addy

Logs

addy_nginx  | 111.111.111.111 - - [19/Dec/2023:06:29:44 +0000] "GET /captcha/mini?9ntdf97c HTTP/2.0" 200 5776 "https://websiteedited.xyz/register" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
addy        | Dec 19 00:29:53 mail postfix/smtpd[1072]: warning: cannot get RSA certificate from file "/etc/letsencrypt/live/domain.xyz/fullchain.pem": disabling TLS support
addy        | Dec 19 00:29:53 mail postfix/smtpd[1072]: warning: TLS library problem: error:80000002:system library::No such file or directory:crypto/bio/bss_file.c:297:calling fopen(/etc/letsencrypt/live/domain.xyz/fullchain.pem, r):
addy        | Dec 19 00:29:53 mail postfix/smtpd[1072]: warning: TLS library problem: error:10080002:BIO routines::system lib:crypto/bio/bss_file.c:300:
addy        | Dec 19 00:29:53 mail postfix/smtpd[1072]: warning: TLS library problem: error:0A080002:SSL routines::system lib:ssl/ssl_rsa.c:448:

Additional info

By default certbot certificates are only root accesible, i tried to create others on /home/user/anonaddy with 777. The application can not read those either.

[working-name]

Hey there. I'm assuming it's because the container (container_name: addy) doesn't have /etc/...pem mounted so as far as it's concerned the path doesn't exist. You could try mounting the certs in the container at the root and then modify the ENV variables to point to the internal container path.

    volumes:
      - "./data:/data"
      - "/etc/letsencrypt/live/domainexample.xyz:/certs"

POSTFIX_SMTPD_TLS_CERT_FILE="/certs/domainexample.xyz-fullchain.pem"
...