search

hardware / mailserver

:warning: UNMAINTAINED - Simple and full-featured mail server using Docker
https://store.docker.com/community/images/hardware/mailserver
MIT License
1.29k stars 322 forks source link

SSL value mismatch #346

Closed vabatta closed 5 years ago

vabatta commented 5 years ago

Classification

Please delete options that are not relevant.

Reproducibility

Please delete options that are not relevant.

Docker information

docker info
docker images hardware/mailserver --digests --filter "dangling=false"

Docker version
17.05.0-ce

REPOSITORY            TAG                 DIGEST                                                                    IMAGE ID            CREATED             SIZE
hardware/mailserver   1.1-stable          sha256:01fc6b8144645b1e2e72167537e8e06e712025081515d743ba6ae318dd130e93   e104731dff09        3 days ago          385MB

Description

After adding the Let's encrypt certificates from Traefik to the mailserver (as described in ssl-certificates), it disables TLS by saying that the certificate has a value mismatch.

Expected results

TLS enabled with Traefik certificates.

Actual results

TLS disabled.

Debugging information

docker logs mailserver

[INFO] Search for SSL certificates generated by Traefik
[INFO] acme.json found with ACME v2 format, dumping into pem files
[INFO] Let's encrypt wildcard certificate found
[INFO] Let's encrypt live directory found
[INFO] Using /etc/letsencrypt/live/mail.domain.tld folder
...
2019-01-02T12:28:20.708521+00:00 mail postfix/smtpd[692]: warning: cannot get RSA private key from file "/etc/letsencrypt/live/mail.domain.tld/privkey.pem": disabling TLS support
2019-01-02T12:28:20.709031+00:00 mail postfix/smtpd[692]: warning: TLS library problem: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:../crypto/x509/x509_cmp.c:295:
2019-01-02T12:28:21.936297+00:00 mail postfix/smtpd[692]: connect from unknown[<IP>]
2019-01-02T12:28:22.704889+00:00 mail postfix/smtpd[692]: disconnect from unknown[<IP>] helo=1 auth=0/1 quit=1 commands=2/3

Configuration (docker-compose.yml, traefik.toml...etc)

Traefik has the correct values for the Cloudflare provider (CF_API_EMAIL & CF_API_KEY => the Global API Key not the Origin CA Key).

Relevant config values from files.

docker-compose.yml

  mailserver:
    image: hardware/mailserver:${MAILSERVER_DOCKER_TAG}
    container_name: mailserver
    restart: ${RESTART_MODE}
    domainname: ${MAILSERVER_DOMAIN}                    # Mail server A/MX/FQDN & reverse PTR = mail.domain.tld.
    hostname: ${MAILSERVER_HOSTNAME}
    labels:
      - traefik.enable=true
      - traefik.frontend.rule=Host:spam.${MAILSERVER_DOMAIN}
      - traefik.port=11334
      - traefik.docker.network=http_network
    # extra_hosts:                          - Required for external database (on other server or for local databases on host without docker)
    #  - "mariadb:xx.xx.xx.xx"              - Replace with IP address of MariaDB server
    #  - "redis:xx.xx.xx.xx"                - Replace with IP address of Redis server
    ports:
      - "25:25"       # SMTP                - Required
    # - "110:110"     # POP3       STARTTLS - Optional - For webmails/desktop clients
      - "143:143"     # IMAP       STARTTLS - Optional - For webmails/desktop clients
    # - "465:465"     # SMTPS      SSL/TLS  - Optional - Enabled for compatibility reason, otherwise disabled
      - "587:587"     # Submission STARTTLS - Optional - For webmails/desktop clients
      - "993:993"     # IMAPS      SSL/TLS  - Optional - For webmails/desktop clients
    # - "995:995"     # POP3S      SSL/TLS  - Optional - For webmails/desktop clients
      - "4190:4190"   # SIEVE      STARTTLS - Optional - Recommended for mail filtering
    environment:
      - DBHOST=mysqldb
      - DBNAME=${DATABASE_NAME}
      - DBUSER=${DATABASE_USER}
      - DBPASS=${DATABASE_USER_PASSWORD}       # MariaDB database password (required)
      - RSPAMD_PASSWORD=${RSPAMD_PASSWORD}     # Rspamd WebUI password (required)
      - ADD_DOMAINS=domain2.com,domain3.com,domain4.com      # Add additional domains separated by commas (needed for dkim keys etc.)
      - OPENDKIM_KEY_LENGTH=2048
    # - DEBUG_MODE=true                        # Enable Postfix, Dovecot, Rspamd and Unbound verbose logging
    # - ENABLE_POP3=true                       # Enable POP3 protocol
    # - ENABLE_FETCHMAIL=true                  # Enable fetchmail forwarding
    # - DISABLE_RATELIMITING=false             # Enable ratelimiting policy
    # - DISABLE_CLAMAV=true                    # Disable virus scanning
    # - DISABLE_SIGNING=true                   # Disable DKIM/ARC signing
    # - DISABLE_GREYLISTING=true               # Disable greylisting policy
    #
    # Full list : https://github.com/hardware/mailserver#environment-variables
    #
    volumes:
      - ${VOLUMES_ROOT_PATH}/mailserver:/var/mail
      - ${VOLUMES_ROOT_PATH}/traefik/acme:/etc/letsencrypt/acme
    depends_on:
      - mysqldb
      - redis
    networks:
      - mail_network
      - http_network

traefik.toml

[acme]
email = "<my@email.com>"
storage = "/etc/traefik/acme/acme.json"
entryPoint = "https"
onHostRule = false
acmeLogging = true
caServer = "https://acme-v02.api.letsencrypt.org/directory"

[acme.tlsChallenge]

[acme.dnsChallenge]
provider = "cloudflare"

[[acme.domains]]
main = "*.domain.tld"
hardware commented 5 years ago

2019-01-02T12:28:20.709031+00:00 mail postfix/smtpd[692]: warning: TLS library problem: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:../crypto/x509/x509_cmp.c:295:

it looks like the private key does not match the certificate, interesting. It should not happen because integration tests handle this specific case.

https://github.com/hardware/mailserver/blob/c1bc395fdc07f4c4705d6b74f60b5bfb4a1e6ac0/test/tests.bats#L1475-L1479

Can you verify that your private key matches ?

docker exec -ti mailserver bash
openssl x509 -noout -modulus -in /etc/letsencrypt/live/mail.domain.tld/cert.pem | openssl md5 ; openssl rsa -noout -modulus -in /etc/letsencrypt/live/mail.domain.tld/privkey.pem | openssl md5) | uniq

If you get more than one identifier, then you key and cert don't match.

guissenges commented 5 years ago

I had the same issue. I solved this by removing the acme.json file and recreating it. I guess this happened to me because I was using one of the first stable-1.1 docker images (using older traefik release with acme v1 json format).

vabatta commented 5 years ago

@hardware They do coincide (both before and now, I did the check). I just reactivated the certificates from Traefik, recreated the container and everything works as expected. Seems really strange to me as I didn't change anything until now. Thanks for the help!