Custom Certificate Management

PerpetuumMobile · June 24, 2024, 2:17pm

I need to provide a custom certificate for dovecot and postfix, so I use
api-cli run module/traefik1/upload-certificate --data '{"certFile":"...base64-cert....","keyFile":"...base64-key...."}'
and get in GUI Settings / TLS certificates my certificate with status “Uploaded”
=> perfect … that’s easy to use.

Then installed mail and set the “Mail server hostname” to the same name as that uploaded certificate.
dovecot and postfix both use selfsigned certificates - not my uploaded one

In GUI Settings / TLS certificates a new entry appears with my hostname and status “Not obtained”
Seems that traefik wants to get a Let’s Encrypt Certificate for that same name.

Question 1)
Where can we set the relationship between services and certificates?
(in my case)

dovecot => use this uploaded certificate
postfix => use that certificate
or if if can only be done by container:
mail1 => use my uploaded certificate

trying to fix that manualy I put my certificate & key in
/home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/ and
/home/mail1/.local/share/containers/storage/volumes/postfix-cert/_data/

That helps for dovecot, which now uses my certificate, but postfix still uses “nethserver.test”

Question 2)
in which location does postfix need the certificate to find/use it - or
where is postfix’s main.cf located - so that I can lookup myself

thx & Tom

davidep · June 25, 2024, 8:11am

This is a bug description

Added a card to NethServer 8 · GitHub.

davidep · June 25, 2024, 8:18am

Writing files into container volumes with such absolute paths is dangerous. It bypasses the uid:gid namespace and leads to access issues. Refer to the app README instead, ns8-mail/README.md at main · NethServer/ns8-mail · GitHub.

PerpetuumMobile · June 25, 2024, 11:15am

In the NethServer/ns8-mail · GitHub is a typo in Section “Postfix custom configuration”:

# print the config values that differ from Postfix defaults ....
podman exec -ti dovecot doveconf -n

should be

podman exec -ti postfix postconf -n

PerpetuumMobile · June 25, 2024, 3:23pm

if someone needs to deploy custom certificates for mail,
this is my first draft of a solution:

# dovecot
scp $cert_pfad/fullchain.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/server.pem
scp $cert_pfad/privkey.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/server.key

# postfix
cp $cert_pfad/privkey.pem /tmp/fullchain.pem
cat $cert_pfad/fullchain.pem >> /tmp/fullchain.pem
scp $cert_pfad/fullchain.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/postfix-cert/_data/server.pem
scp $cert_pfad/privkey.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/postfix-cert/_data/server.key
scp /tmp/fullchain.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/postfix-cert/_data/fullchain.pem
rm /tmp/fullchain.pem

uncommented=$( ssh $nethserver_ip 'cat /home/mail1/.config/systemd/user/dovecot.service | grep "#ExecStartPre=-runagent install-certificate dovecot"' )
if [ -z "$uncommented" ]; then 
    ssh $nethserver_ip 'sed -i "/^ExecStartPre=-runagent install-certificate dovecot$/s/^/#/" /home/mail1/.config/systemd/user/dovecot.service'
    ssh $nethserver_ip 'runagent -m mail1 systemctl --user daemon-reload'
    echo "disabled install-certificate dovecot"
fi

uncommented=$( ssh $nethserver_ip 'cat /home/mail1/.config/systemd/user/postfix.service | grep "#ExecStartPre=-runagent install-certificate postfix"' )
if [ -z "$uncommented" ]; then 
    ssh $nethserver_ip 'sed -i "/^ExecStartPre=-runagent install-certificate postfix$/s/^/#/" /home/mail1/.config/systemd/user/postfix.service'
    ssh $nethserver_ip 'runagent -m mail1 systemctl --user daemon-reload'
    echo "disabled install-certificate postfix"
fi

ssh $nethserver_ip 'runagent -m mail1 systemctl restart --user dovecot.service'
ssh $nethserver_ip 'runagent -m mail1 systemctl restart --user postfix.service'

$cert_pfad is the path where my certificates are stored
in /tmp/fullchain.pem a file for postfix - with the key and the full certificate chain is being created
in both if “uncommented” statements I disable install-certificate for dovecot and postfix, which would overwrite the manual copied files
This script runs on my Nginx Proxy Manager machine and delivers the current certificate to the nethserver machine

PerpetuumMobile · June 27, 2024, 9:35pm

update: second draft of a solution:
Disabling install-certificate in the dovecot and postfix .service’s was not the way, because it is being triggered somewhere else.
So I decided to disable the install-certificate script itself by inserting an exit line at the top:

install_certificate_disabled=$( ssh $nethserver_ip 'sed -n '2p' /home/mail1/.config/bin/install-certificate' )
if [ -z "$install_certificate_disabled" ]; then 
    ssh $nethserver_ip 'sed -i "1 aexit 0" /home/mail1/.config/bin/install-certificate'
    echo "disabled install-certificate script"
fi

so far my deployed certificate does not get overwritten…