search

caprover / one-click-apps

Community Maintained One Click Apps (https://github.com/caprover/caprover)
Apache License 2.0
525 stars 513 forks source link

App issue: Poste.io TLS/SSL Cert #1113

Open amirsaam opened 2 weeks ago

amirsaam commented 2 weeks ago

Hello,

While I did read #231 (suggestion comments 1 and 2) and followed them, there is some issues.

  1. If I use CapRover built-in SSL/TLS certbot (HTTPS = OFF) and map those certs to Poste.io certs, panels would have certs but because Poste.io is a mailserver and I need to connect multiple domains to it some/most apps would decline this cert with this error: 
    "errors": [{
"message": "Failed to send email. Reason: Hostname/IP does not match certificate's altnames: Host: cnameToMailserverHostname. is not in the cert's altnames: DNS:caproverMailAppDomain"
}]

    So I tried to issue the cert while this option is used and did use Poste.io Let's Encrypt and I got this error:

    [2024-06-11T16:23:44.999805+03:30] LEScript.INFO: ACME Client: analogic-lescript/0.3.0
[2024-06-11T16:23:45.000184+03:30] LEScript.INFO: Getting list of URLs for API
[2024-06-11T16:23:45.772972+03:30] LEScript.INFO: Requesting new nonce for client communication
[2024-06-11T16:23:46.713963+03:30] LEScript.INFO: Account already registered. Continuing.
[2024-06-11T16:23:46.714197+03:30] LEScript.INFO: Sending registration to letsencrypt server
[2024-06-11T16:23:46.754782+03:30] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-acct
[2024-06-11T16:23:47.567543+03:30] LEScript.INFO: Account: https://acme-v02.api.letsencrypt.org/acme/acct/1775326667
[2024-06-11T16:23:47.567803+03:30] LEScript.INFO: Starting certificate generation process for domains
[2024-06-11T16:23:47.568423+03:30] LEScript.INFO: Requesting challenge for mailServerHostname, altDomain1, altDomain2, altDomain3, altDomain4
[2024-06-11T16:23:47.602837+03:30] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-order
[2024-06-11T16:23:48.498814+03:30] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/362511700727
[2024-06-11T16:23:49.296632+03:30] LEScript.INFO: Got challenge token for altDomain3
[2024-06-11T16:23:49.297144+03:30] LEScript.INFO: Token for altDomain3 saved at /opt/www//.well-known/acme-challenge/hTGWY-8X0vw50sa36wwX-EWQdIRhiSB_mCj0S3xxVbw and should be available at http://altDomain3/.well-known/acme-challenge/hTGWY-8X0vw50sa36wwX-EWQdIRhiSB_mCj0S3xxVbw
[2024-06-11T16:23:49.297200+03:30] LEScript.INFO: Sending request to challenge
[2024-06-11T16:23:49.320815+03:30] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/362511700727/t4uCkA
[2024-06-11T16:23:50.132799+03:30] LEScript.INFO: Verification pending, sleeping 1s
[2024-06-11T16:23:51.166831+03:30] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/362511700727/t4uCkA
[2024-06-11T16:23:51.977315+03:30] LEScript.ERROR: 400 {   "type": "urn:ietf:params:acme:error:malformed",   "detail": "Unable to update challenge :: authorization must be pending",   "status": 400 }
[2024-06-11T16:23:51.977527+03:30] LEScript.ERROR: #0 /opt/admin/vendor/analogic/lescript/Lescript.php(580): Analogic\ACME\Client->curl()
[2024-06-11T16:23:51.977616+03:30] LEScript.ERROR: #1 /opt/admin/vendor/analogic/lescript/Lescript.php(448): Analogic\ACME\Client->post()
[2024-06-11T16:23:51.977677+03:30] LEScript.ERROR: #2 /opt/admin/vendor/analogic/lescript/Lescript.php(164): Analogic\ACME\Lescript->signedRequest()
[2024-06-11T16:23:51.977728+03:30] LEScript.ERROR: #3 /opt/admin/src/Base/Handler/LeHandler.php(62): Analogic\ACME\Lescript->signDomains()
[2024-06-11T16:23:51.977814+03:30] LEScript.ERROR: #4 /opt/admin/src/Base/Controller/LeController.php(71): App\Base\Handler\LeHandler->renew()
[2024-06-11T16:23:51.977892+03:30] LEScript.ERROR: #5 /opt/admin/vendor/symfony/http-kernel/HttpKernel.php(163): App\Base\Controller\LeController->issueAction()
[2024-06-11T16:23:51.977956+03:30] LEScript.ERROR: #6 /opt/admin/vendor/symfony/http-kernel/HttpKernel.php(75): Symfony\Component\HttpKernel\HttpKernel->handleRaw()
[2024-06-11T16:23:51.978003+03:30] LEScript.ERROR: #7 /opt/admin/vendor/symfony/http-kernel/Kernel.php(202): Symfony\Component\HttpKernel\HttpKernel->handle()
[2024-06-11T16:23:51.978051+03:30] LEScript.ERROR: #8 /opt/admin/public/index.php(27): Symfony\Component\HttpKernel\Kernel->handle()
[2024-06-11T16:23:51.978132+03:30] LEScript.ERROR: #9 {main}

    Note is even if I use CapRover SSL cert and map it because it is for the app name not the hostname of mail server mentioned issue would still be there and I need alt names for other domains and the hostname itself and also I cannot connect the mail server hostname to the app directly I don't know why in this structure:

    • App domain is: appname.caproverRoot.name.domain
    • My hostname is: mail.name.domain
    • When I want to connect this domain to the app I get 1107 : Verification Failed. while I do have DNS record pointing to the IP of the server. Also I don't think this is the issue because even Poste.io demo website structure is like this:
    • App address is demo.poste.io
    • Mail hostname is mail.poste.io
  2. If choose to use HTTPS = blank and let Poste.io handle the SSL/TLS certs and remove both 
    # Used by Lets Encrypt
location /.well-known/acme-challenge/ {
 root <%-s.staticWebRoot%>;
}

    (as mentioned in the comment number 1 of the mentioned issue) in the Nginx config of the app, no matter what the app won't run and if I open the domain CapRover/Nginx will show Nothing is here yet page.

Another problem is, the instruction that shows up after installation of Poste.io, looks like only applies to HTTPS = OFF option and no mention about how to handle HTTPS = blank.

I'll appreciate any help, Regards.

amirsaam commented 2 weeks ago

So, a funny thing. If I change the domain to the caprover poste.io app name in the tls cert page of poste.io, it can successfully issue the cert for the app domain! but i cannot access it with https, but this doesn't matter because we already could issue the cert for the app domain in caprover panel. does caprover install apps in network=host environment as said in this instruction by poste.io docs? and also do we show poste.io the correct well-known folder?

Screenshot 1403-03-22 at 23 29 00
coffseducation commented 2 weeks ago

If I change the domain to the caprover poste.io app name in the tls cert page of poste.io

Could you elaborate on this please?

amirsaam commented 2 weeks ago

@coffseducation caprover app domain for poste.io, for example: mail.caproverRoot.name.domain

amirsaam commented 2 weeks ago

ok, with more exploration in Poste.io docs I found this in its FAQs:

Q: I want use my port 80 for reverse proxy (Nginx)

A: Poste only needs to use port 80 for Let's Encrypt authentication, you can easily remap the http port with docker to another if you don't want to use LE. Otherwise you should map the /opt/www/.well-known folder on your web server to /.well-known relative path. Example of a special case where you want to use dockered NGiNX with LE Companion and Poste with LE:

version: '3'

services:
  nginx-proxy:
    image: jwilder/nginx-proxy
    labels:
        com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
    container_name: nginx-proxy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /data/nginx/conf.d:/etc/nginx/conf.d
      - /data/nginx/vhost.d:/etc/nginx/vhost.d
      - /data/nginx/html:/usr/share/nginx/html
      - /data/nginx/certs:/etc/nginx/certs:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro

  nginx-letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: nginx-letsencrypt
    restart: unless-stopped
    volumes:
      - /data/nginx/conf.d:/etc/nginx/conf.d
      - /data/nginx/vhost.d:/etc/nginx/vhost.d
      - /data/nginx/html:/usr/share/nginx/html
      - /data/nginx/certs:/etc/nginx/certs:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - NGINX_DOCKER_GEN_CONTAINER=nginx-proxy
      - NGINX_PROXY_CONTAINER=nginx-proxy

  mailserver:
    image: poste.io/mailserver:dev
    container_name: mailserver
    restart: unless-stopped
    ports:
      - "25:25"
      - "110:110"
      - "143:143"
      - "587:587"
      - "993:993"
      - "995:995"
      - "4190:4190"
    environment:
      - LETSENCRYPT_EMAIL=info@analogic.cz
      - LETSENCRYPT_HOST=mail.poste.io
      - VIRTUAL_HOST=mail.poste.io
      - HTTPS=OFF
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /data/nginx/html/.well-known:/opt/www/.well-known
      - /data/mailserver:/data

How do we handle /data/nginx/html/.well-known:/opt/www/.well-known in Poste.io's One-Click App?

amirsaam commented 2 weeks ago

Any suggestion from the original author? @ronaldloyko