Closed greenmoss closed 1 year ago
Hi, there is no fullchain.pem in mailcow as cert.pem is the fully chained certificate.
Please do not push untested to master.
Hi, there is no fullchain.pem in mailcow as cert.pem is the fully chained certificate.
There is a cert.pem and a fullchain.pem. I'm assuming they were generated by certbot, and then something in mailcow chooses one to symlink.
cd data/assets/ssl
ls -l key.pem cert.pem
lrwxrwxrwx 1 root root 32 May 29 06:25 cert.pem -> live/my.domain.com/cert.pem
lrwxrwxrwx 1 root root 35 May 29 06:25 key.pem -> live/my.domain.com/privkey.pem
cd live/my.domain.com
ls -l
total 4
lrwxrwxrwx 1 root root 42 May 29 06:25 cert.pem -> ../../archive/my.domain.com/cert5.pem
lrwxrwxrwx 1 root root 43 May 29 06:25 chain.pem -> ../../archive/my.domain.com/chain5.pem
lrwxrwxrwx 1 root root 47 May 29 06:25 fullchain.pem -> ../../archive/my.domain.com/fullchain5.pem
lrwxrwxrwx 1 root root 45 May 29 06:25 privkey.pem -> ../../archive/my.domain.com/privkey5.pem
-rw-r--r-- 1 root root 692 Sep 29 2021 README
diff cert.pem fullchain.pem | wc -l
62
README
says about cert.pem
: will break many server configurations, and should not be used
README
says about fullchain.pem
: the certificate file used in most server software.
Please do not push untested to master.
Your contribution guidelines are silent on this. Tell me which branch.
I'm assuming they were generated by certbot
Mailcow uses acmesh not certbot.
Hmm... I'm not sure how all those things got in there. I don't think I did that. Do you all see the same that I am seeing? That is: cert.pem
, fullchain.pem
, and the README
saying to use fullchain.pem
?
One possibility instead of changing the code via PR #4615 might be to change the cert.pem
symlink in data/assets/ssl
to point to fullchain.pem
. However I don't know how that file got there either. Is it generated by code somewhere within the Mailcow docker-compose cluster?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Remains an issue, please do not close
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
bump
We include it of course. It wouldn't work if we didn't.
You are only checking the filename, aren't you? Check the content.
We include it of course. It wouldn't work if we didn't.
You are only checking the filename, aren't you? Check the content.
That's exactly my point. It was a symlink for me, and it didn't work. Then I manually re-linked to fullchain.pem and it did work.
Is this not reproducible by/for anyone else?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Bump
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
bump
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Contribution guidelines
I've found a bug and checked that ...
Description
Letsencrypt changed they way they sign certificates. More info: https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html. Since that change, some systems, e.g. Mail on iPhone refuse Letsencrypt certificates.
I have a PR which fixes the problem, and will attach it to this issue.
Logs
Steps to reproduce
System information
docker version
)Docker version 20.10.12, build e91ed57
docker-compose version
)docker-compose version 1.29.2, build 5becea4c
git describe --tags `git rev-list --tags --max-count=1`
) |2022-05d
Output of
git diff origin/master
, any other changes to the code? If so, please post them:All third-party firewalls and custom iptables rules are unsupported. Please check the Docker docs about how to use Docker with your own ruleset. Nevertheless, iptabels output can help us to help you: iptables -L -vn:
ip6tables -L -vn:
iptables -L -vn -t nat:
ip6tables -L -vn -t nat:
DNS problems? Please run
docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254
(set the IP accordingly, if you changed the internal mailcow network) and post the output: