search

r-raymond / nixos-mailserver

A complete and Simple Nixos Mailserver
GNU General Public License v3.0
181 stars 27 forks source link

ACME certificate location #21

Closed jbboehr closed 6 years ago

jbboehr commented 7 years ago

At least on NixOS 17.09, it appears the certs are in /var/lib/acme/${host} and not /var/lib/acme/acme-challenge/${host} and the private key is called key.pem and not privkey.pem

diff --git a/mail-server/common.nix b/mail-server/common.nix
index 0d15ce7..63fa3d7 100644
--- a/mail-server/common.nix
+++ b/mail-server/common.nix
@@ -26,7 +26,7 @@ in
              else if cfg.certificateScheme == 2
                   then "${cfg.certificateDirectory}/cert-${cfg.domain}.pem"
                   else if cfg.certificateScheme == 3
-                       then "/var/lib/acme/acme-challenge/${cfg.hostPrefix}.${cfg.domain}/fullchain.pem"
+                       then "/var/lib/acme/${cfg.hostPrefix}.${cfg.domain}/fullchain.pem"
                        else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";

   # key :: PATH
@@ -35,6 +35,6 @@ in
         else if cfg.certificateScheme == 2
              then "${cfg.certificateDirectory}/key-${cfg.domain}.pem"
               else if cfg.certificateScheme == 3
-                   then "/var/lib/acme/acme-challenge/${cfg.hostPrefix}.${cfg.domain}/privkey.pem"
+                   then "/var/lib/acme/${cfg.hostPrefix}.${cfg.domain}/key.pem"
                    else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
 }
r-raymond commented 6 years ago

Thanks for the report! This part is unfortunately notoriously hard to test as it involves setting up the domain records.

Personally I'm still using self signed certs, I need to update my server once I find some time.

Thanks!

jbboehr commented 6 years ago

Fixed by 3d2f41d

jbboehr commented 6 years ago

@r-raymond Off-topic, but is the planned 'Multiple domains' feature distinct domains or domain aliases? I'm more interested in the latter, personally.

r-raymond commented 6 years ago

Distinct domains. What exactly do you mean with domain aliases? It will certainly allow you to alias mail addresses across domain boarders. Basically, it should add more domains into the virtual domains file.

This would allow me to drop my other email servers. It should not be hard to implement, but unfortunately I'm kind of swamped right now. Any help is welcome!

jbboehr commented 6 years ago

In my current setup (Ubuntu) that I'm trying to migrate to NixOS I have several domains on one server and, for example, user@domain1.com and user@domain2.com have the same mailbox. How did I set this up originally? No idea, but if I had done it via nix maybe it would've been easier to figure it out.

r-raymond commented 6 years ago

That should be unproblematic. You can just add the virtual domains

domain1.com
domain2.com

add a user

user@domain1.com

and set up an alias

user@domain2.com user@domain1.com

to achieve this. However, first multiple domains need to be implemented :)

On 11/09, John Boehr wrote:

In my current setup (Ubuntu) that I'm trying to migrate to NixOS I have several domains on one server and, for example, user@domain1.com and user@domain2.com have the same mailbox. How did I set this up originally? No idea, but if I had done it via nix maybe it would've been easier to figure it out.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/r-raymond/nixos-mailserver/issues/21#issuecomment-343097098

jbboehr commented 6 years ago

Well, I'll take a stab at it, but I'm a Nix and Postfix noob, so don't hold your breath.

r-raymond commented 6 years ago

Sounds great!

The steps needed are

1) turn cfg.domain into a list or something 2) Replace

vhosts_file :: Path

vhosts_file = builtins.toFile "vhosts" cfg.domain;

in postfix.nix

That should turn on multidomain support, but various things will be broken then. E.g. the aliases are specified simply by "info" "user1" right now, they will need to also state the domain. Wherever "cfg.domain" is used right now (in postfix, dovecot etc) we should probably just specify "hostname" (from the nixos config), so that user specify whatever they want there.

Oh and testing. It needs a lot of testing, but I can help with that :)

Good luck!

On 11/09, John Boehr wrote:

Well, I'll take a stab at it, but I'm a Nix and Postfix noob, so don't hold your breath.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/r-raymond/nixos-mailserver/issues/21#issuecomment-343240347

r-raymond commented 6 years ago

Oh, and if you have any questions, feel free to ask

On 11/09, John Boehr wrote:

Well, I'll take a stab at it, but I'm a Nix and Postfix noob, so don't hold your breath.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/r-raymond/nixos-mailserver/issues/21#issuecomment-343240347

eqyiel commented 6 years ago

@r-raymond I think you missed one: https://github.com/r-raymond/nixos-mailserver/blob/3d2f41dedca389355d2c4a8c125a4d440c4484f7/mail-server/nginx.nix#L38

r-raymond commented 6 years ago

Now I'm confused, the documentation seems to indicate that this is where the keys and certs are stored. Has this changed? Can anyone confirm this? I'm unfortunately not able before tonight.

jbboehr commented 6 years ago

@r-raymond @eqyiel The acmeRoot should be /var/lib/acme/acme-challenge. This is the webroot where the challenge responses are placed for serving by e.g. nginx. The actual generated certs are placed in /var/lib/acme/${domain}/ (this is what I changed).

https://github.com/NixOS/nixpkgs/blob/97a2cd07481beef15f3e286f64a8a40b918e30de/nixos/modules/services/web-servers/nginx/default.nix#L16

r-raymond commented 6 years ago

Ok thanks for verifying. The description

"Directory to store certificates and keys managed by the ACME service."

seems a little misleading :)

On 11/10, John Boehr wrote:

@r-raymond @eqyiel The acmeRoot should be /var/lib/acme/acme-challenge. This is the webroot where the challenge responses are placed for serving by e.g. nginx. The actual generated certs are placed in /var/lib/acme/${domain}/ (this is what I changed).

https://github.com/NixOS/nixpkgs/blob/97a2cd07481beef15f3e286f64a8a40b918e30de/nixos/modules/services/web-servers/nginx/default.nix#L16

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/r-raymond/nixos-mailserver/issues/21#issuecomment-343396800

eqyiel commented 6 years ago

My bad!