I need to provide a custom certificate for dovecot and postfix, so I use api-cli run module/traefik1/upload-certificate --data '{"certFile":"...base64-cert....","keyFile":"...base64-key...."}'
and get in GUI Settings / TLS certificates my certificate with status “Uploaded”
=> perfect … that’s easy to use.
Then installed mail and set the “Mail server hostname” to the same name as that uploaded certificate.
dovecot and postfix both use selfsigned certificates - not my uploaded one
In GUI Settings / TLS certificates a new entry appears with my hostname and status “Not obtained”
Seems that traefik wants to get a Let’s Encrypt Certificate for that same name.
Question 1)
Where can we set the relationship between services and certificates?
(in my case)
dovecot => use this uploaded certificate
postfix => use that certificate
or if if can only be done by container:
mail1 => use my uploaded certificate
trying to fix that manualy I put my certificate & key in
/home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/ and
/home/mail1/.local/share/containers/storage/volumes/postfix-cert/_data/
That helps for dovecot, which now uses my certificate, but postfix still uses “nethserver.test”
Question 2)
in which location does postfix need the certificate to find/use it - or
where is postfix’s main.cf located - so that I can lookup myself
Writing files into container volumes with such absolute paths is dangerous. It bypasses the uid:gid namespace and leads to access issues. Refer to the app README instead, ns8-mail/README.md at main · NethServer/ns8-mail · GitHub.
update: second draft of a solution:
Disabling install-certificate in the dovecot and postfix .service’s was not the way, because it is being triggered somewhere else.
So I decided to disable the install-certificate script itself by inserting an exit line at the top:
install_certificate_disabled=$( ssh $nethserver_ip 'sed -n '2p' /home/mail1/.config/bin/install-certificate' )
if [ -z "$install_certificate_disabled" ]; then
ssh $nethserver_ip 'sed -i "1 aexit 0" /home/mail1/.config/bin/install-certificate'
echo "disabled install-certificate script"
fi
so far my deployed certificate does not get overwritten…