search

hardware / mailserver

:warning: UNMAINTAINED - Simple and full-featured mail server using Docker
https://store.docker.com/community/images/hardware/mailserver
MIT License
1.29k stars 324 forks source link

Automatic refresh of certificate generated by Traefik #384

Closed aiac closed 5 years ago

aiac commented 5 years ago

Classification

Reproducibility

Description

Traefik generated certificate didnt reload after renewal. I had to restart mailserver containers to refresh certificate from traefik.

Steps to reproduce

  1. Configure volumes from traefik acme following mailserver documentation.
  2. Wait 3 months for certificate to expire.
  3. Try to connect via SMTP which is still using previous certificate.

Expected results

Automatic update of the certificate.

Actual results

Expired certificate is kept.

Please, at least update the manual with information, that users have to restart server each 3 months.

denji commented 5 years ago

Did you finish reading the acme section? https://github.com/hardware/mailserver/blob/master/README.md#lets-encrypt-certificates-generated-by-traefik

When SSL certificates are renewed, the mail server must be restarted. You can proceed as follows :

  1. Install incron apt-get install incron
  2. Add root user in /etc/incron.allow
  3. Create the following incron job with incrontab -e :
/mnt/docker/traefik/acme/acme.json IN_MODIFY docker-compose -f /path/to/yml restart mailserver

This job trigger a restart of the mail server container when traefik's acme file is updated.

metti-himself commented 5 years ago

I have a smiliar problem, but in /etc/postfix/main.cf

smtpd_tls_cert_file = /etc/letsencrypt/live/$host/cert.pem

these files are pretty outdated last modification in april. I changed smtpd_tls_cert_file to /etc/letsencrypt/live/$host/fullchain.pem and the Cert is now valid. Should't smtpd_tls_cert_file generally use the fullchain.pem? I just dont know how to fix this, Iam using the incron solution as well.

navossoc commented 5 years ago

@metti-himself

To enable a remote SMTP client to verify the Postfix SMTP server certificate, the issuing CA certificates must be made available to the client. You should include the required certificates in the server certificate file, the server certificate first, then the issuing CA(s) (bottom-up order).

Example: the certificate for "server.example.com" was issued by "intermediate CA" which itself has a certificate of "root CA". Create the server.pem file with "cat server_cert.pem intermediate_CA.pem root_CA.pem > server.pem".

http://www.postfix.org/postconf.5.html#smtpd_tls_cert_file

So yes, this line should be changed to: smtpd_tls_cert_file = {{ .FULLCHAIN }}

Regardless, your cert.pem file should be up to date.

You should check the contents of these files at: https://www.sslshopper.com/certificate-decoder.html

The certificates on cert.pem and fullchain.pem (1st one on the file) must match.

PS: I'm not using the "automatic refresh" thing and my files match as they should be...

[]'s

metti-himself commented 5 years ago

@navossoc it could still be some sort of issue on my end. I made a few custom change to the base image, because I needed a new feature from postfix 3.2 (smtpd_milter_maps), thank you anyway.

taniki commented 5 years ago

I have the same issue. cert.pem and chain.pem are not updated while fullchain.pem and privkey.pem are alright. I am using the automatic renewal and traefik certs.

A workaround is to target fullchain.pem with a custom postfix configuration file.

hardware commented 5 years ago

Fixed by https://github.com/hardware/mailserver/pull/366