IMAP and SMTP not using own wildcard cert

[Djiock]

Prior to placing the issue, please check following: (fill out each checkbox with an X once done)

• [X] I understand that not following or deleting the below instructions will result in immediate closure and/or deletion of my issue.
• [X] I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• [X] I have understood that answers are voluntary and community-driven, and not commercial support.
• [X] I have verified that my issue has not been already answered in the past. I also checked previous issues.

Summary

I have an issue with "use you own certificate" : I want to use my server-wide wildcard but apparently IMAP and SMTP are still using the old bundled LE certificate and it expired... SOGo is working fine, I'm receiving and sending mails.

Logs

postfix-mailcow_1 | Dec 12 14:18:59 d7ab5c53e48b postfix/smtps/smtpd[22117]: connect from mail.dmain.fr[142.4.213.23] postfix-mailcow_1 | Dec 12 14:18:59 d7ab5c53e48b postfix/smtps/smtpd[22117]: SSL_accept error from mail.dmain.fr[142.4.213.23]: -1 postfix-mailcow_1 | Dec 12 14:18:59 d7ab5c53e48b postfix/smtps/smtpd[22117]: warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1544:SSL alert number 45: postfix-mailcow_1 | Dec 12 14:18:59 d7ab5c53e48b postfix/smtps/smtpd[22117]: lost connection after CONNECT from mail.dmain.fr[142.4.213.23] postfix-mailcow_1 | Dec 12 14:18:59 d7ab5c53e48b postfix/smtps/smtpd[22117]: disconnect from mail.dmain.fr[142.4.213.23] commands=0/0 postfix-mailcow_1 | Dec 12 14:18:59 d7ab5c53e48b postfix/postscreen[22121]: CONNECT from [103.253.42.54]:58964 to [172.22.1.10]:25

Reproduction

I did everything here https://mailcow.github.io/mailcow-dockerized-docs/firststeps-ssl/#how-to-use-your-own-certificate and even when I try the post-hook script https://mailcow.github.io/mailcow-dockerized-docs/firststeps-rp/#optional-post-hook-script-for-non-mailcow-acme-clients I still have the issue... the cert and key are identical to my wildcard... See, the certificate was correctly copied :

openssl x509 -enddate -noout -in data/assets/ssl/cert.pem
result : notAfter=Jan 31 21:51:40 2021 GMT

I seeked help on Telegram but it looks like a tough one, possibly a bug, as I was asked to try

docker-compose exec postfix-mailcow bash
root@bf9f5c9e54ab:/# openssl x509 -enddate -noout -in /etc/ssl/mail/cert.pem

Same result notAfter=Jan 31 21:51:40 2021 GMT

System information

Question	Answer
My operating system	Ubuntu 20.04
Is Apparmor, SELinux or similar active?	Apparmor active
Virtualization technlogy (KVM, VMware, Xen, etc - LXC and OpenVZ are not supported	dedicated server
Server/VM specifications (Memory, CPU Cores)	8 Go of RAM, CPU 4 cores
Docker Version (docker version)	20.10.0
Docker-Compose Version (docker-compose version)	1.27.4
Reverse proxy (custom solution)	NGINX

Thanks !

[Djiock]

Ok I figured it out. The doc says To use your own certificates, just save the combined certificate (containing the certificate and intermediate CA/CA if any) to data/assets/ssl/cert.pem and the corresponding key to data/assets/ssl/key.pem But I actually had to copy also the key and cert in data/assets/ssl/mail.domain.com/ in order to have IMAP and SMTP working. I presume you have to do so for every domain...

I think the doc should be updated, this part has well https://mailcow.github.io/mailcow-dockerized-docs/firststeps-rp/#optional-post-hook-script-for-non-mailcow-acme-clients.

This is really an amazing project, I'm glad this issue is fixed for me :)

[andryyy]

Glad you figured it out and thank you! Do you have TLS SNI enabled?

It should be enough to copy the certs and restart acme-mailcow.

[Djiock]

Do you have TLS SNI enabled?

I don't think so and I don't use several domains yet

[andryyy]

I think I understand the problem and will provide a patch. Nevertheless your workaround is okay and will work. :)

[Djiock]

That's great ! Thanks :)

[MElhagaly]

Hi @andryyy, I am facing the exact same problem using my own certificate.

Is there a patch available yet or should I try the workaround described above?

[andryyy]

Update to the latest mailcow. Make sure you don't use symlinks and use the correct files. 90% of the problems are incorrectly setup certificates. :/ Or missing reloads/restarts of services.

[Djiock]

Well I had the same issue when my certificate expired (didn't setup the post-hook yet...), I updated to last version of mailcow but I still had to copy the key/cert in a subfolder "mail.domain" for IMAP to work properly. No big deal but doesn't look fixed yet

[andryyy]

You may need to run docker-compose down, delete that subfolder and run docker-compose up -d.

[andryyy]

Ah, it is also very import you set SKIP_LETS_ENCRYPT=y in your mailcow.conf, else the SNI maps will be used.

[Djiock]

Indeed that looks OK now ! Thanks ! Do you want me to confirm after my certificate renewal ? Or maybe we can close this issue ?

[andryyy]

We can wait for the renewal, if you like. :)

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[Djiock]

The renewal was just a few days ago, but thanks to this bot I was reminded that I should close this issue it when well : it did ! No need for the subfolder anymore, closing. Thanks !