Own certs does not seems to work when placed in mnt/docker/nginx/certs/live/mail.domain.tld

[noyb34]

Hi there, I have a wildcard cert purchased via positive SSL. As per the doc, we must place the certs in the mnt/docker/nginx/certs/live/mail.domain.tld directory; however when I place, the PEM files (buddle+key) in this particular directory, the mail server ignores it and use a self-signed cert instead. When configuring NGINX, I'm able to point it to the directory and it works fine. Is anyone experiencing this issue? Let me know. Thanks

[hardware]

Can you provide some logs and the content of your docker-compose.yml file ?

Logs :

docker logs mailserver

TLS handshake :

openssl s_client -connect mail.domain.tld:993 -tlsextdebug
openssl s_client -connect mail.domain.tld:587 -starttls smtp -tlsextdebug

Content of the live directory :

ls /mnt/docker/nginx/certs/live/mail.domain.tld

FQDN value inside the container :

docker exec -ti mailserver bash
# hostname --fqdn

[noyb34]

Hello there, See mailserver log file: mailserver_logs.txt See ls of live directory hostname --fqnd : mail.mydomain.com

[hardware]

Can you provide your docker-composer.yml file ?

And check the content of the live directory inside the container :

docker exec -ti mailserver bash
# ls /etc/letsencrypt/live/mail.domain.tld

[noyb34]

Attached see docker compose file and listing of the live content directory in the container docker-compose.yml.txt

[hardware]

Your custom certificat seems recognized correctly :

# mailserver_logs.txt

2017-05-07 17:09 :
[INFO] Let's encrypt live directory found
[INFO] Using /etc/letsencrypt/live/mail.mydomain.com folder
[INFO] Found DKIM key pair for domain mydomain.com - skip creation
[INFO] No extra postfix settings loaded because optional custom configuration file (/var/mail/postfix/custom.conf) is not provided.
[INFO] Database hostname not found in /etc/hosts, try to find container IP with docker embedded DNS server
[INFO] Container IP found, adding new record in /etc/hosts
[INFO] Fetchmail forwarding is disabled.
[INFO] ManageSieve protocol is enabled.
...

Try openssl client command to confirm the certificate used :

openssl s_client -connect mail.domain.tld:993 -tlsextdebug
openssl s_client -connect mail.domain.tld:587 -starttls smtp -tlsextdebug

You must wait until the container is fully initialized before executing these commands. Wait for "clamd[xxx]: Self checking every 3600 seconds" message after 2/3 minutes.

[noyb34]

when I do openssl s_client -connect mail.mydomain.com:993 -tlsextdebug and openssl s_client -connect mail.mydomain.com:587 -starttls smtp -tlsextdebug I get connect: Connection refused connect:errno=111

[hardware]

netstat -tulpn | grep -E -w '993|587'

[noyb34]

Here is the output:

[noyb34]

Ok. Here is the scoop on why the private SSL issues: I deleted everything and removed everything including volumes. What I did instead, placed all my certs in a directory on the host, then use my docker-compose to orchestrate another container (FROM tianon/true ADD certs) to push the certs into the /etc/letsencrypt directory at the end of the orchestration (depends_on: mailserver, mariadb...). It works now! I can use my purchased SSL. Otherwise, when your first create the mailserver, it does not have access to the certs, I had to manually place the certs in the directory, and then restart the mailserver, and sometimes it was able to found the letsencrypt directory and other times not. Let me know if this makes sense. Thank You for all your help!

[hardware]

So the problem is on your side ? Can i close this issue ?

[noyb34]

The problem is not on my side. I just figure out a work around. If you want to close this issue go ahead, but there is an issue with the current implementation of purchased SSL. That's all!