Closed aiac closed 5 years ago
Did you finish reading the acme section? https://github.com/hardware/mailserver/blob/master/README.md#lets-encrypt-certificates-generated-by-traefik
When SSL certificates are renewed, the mail server must be restarted. You can proceed as follows :
apt-get install incron
root
user in /etc/incron.allow
incrontab -e
:/mnt/docker/traefik/acme/acme.json IN_MODIFY docker-compose -f /path/to/yml restart mailserver
This job trigger a restart of the mail server container when traefik's acme file is updated.
I have a smiliar problem, but in /etc/postfix/main.cf
smtpd_tls_cert_file = /etc/letsencrypt/live/$host/cert.pem
these files are pretty outdated last modification in april. I changed smtpd_tls_cert_file to /etc/letsencrypt/live/$host/fullchain.pem and the Cert is now valid. Should't smtpd_tls_cert_file generally use the fullchain.pem? I just dont know how to fix this, Iam using the incron solution as well.
@metti-himself
To enable a remote SMTP client to verify the Postfix SMTP server certificate, the issuing CA certificates must be made available to the client. You should include the required certificates in the server certificate file, the server certificate first, then the issuing CA(s) (bottom-up order).
Example: the certificate for "server.example.com" was issued by "intermediate CA" which itself has a certificate of "root CA". Create the server.pem file with "cat server_cert.pem intermediate_CA.pem root_CA.pem > server.pem".
http://www.postfix.org/postconf.5.html#smtpd_tls_cert_file
So yes, this line should be changed to:
smtpd_tls_cert_file = {{ .FULLCHAIN }}
Regardless, your cert.pem
file should be up to date.
You should check the contents of these files at: https://www.sslshopper.com/certificate-decoder.html
The certificates on cert.pem
and fullchain.pem
(1st one on the file) must match.
PS: I'm not using the "automatic refresh" thing and my files match as they should be...
[]'s
@navossoc it could still be some sort of issue on my end. I made a few custom change to the base image, because I needed a new feature from postfix 3.2 (smtpd_milter_maps), thank you anyway.
I have the same issue. cert.pem
and chain.pem
are not updated while fullchain.pem
and privkey.pem
are alright. I am using the automatic renewal and traefik certs.
A workaround is to target fullchain.pem
with a custom postfix configuration file.
Classification
Reproducibility
Description
Traefik generated certificate didnt reload after renewal. I had to restart mailserver containers to refresh certificate from traefik.
Steps to reproduce
Expected results
Automatic update of the certificate.
Actual results
Expired certificate is kept.
Please, at least update the manual with information, that users have to restart server each 3 months.