Since the Core update to 3.6.0, I can no longer see which Letsencrypt certificates are current or which could not be issued.
Previously, these were displayed under “Settings > TLS Certificates,” but now only the certificate for the subdomain name I have stored as my mail server is there.
For example, in SOGo, it shows me that I have activated LE there, but not that an LE certificate has been issued.
Can someone explain this to me? I skimmed the release notes and noticed that something had changed in the certificate management. Was the missing certificate listing intentional, moved somewhere, or forgotten?
Regards, Yummiweb
Addendum: Normally, all LE certificates were displayed there; in my case, these were those for Mail, SOGo, and Guacamole. Now only for Mail.
It’s discussed in the release notes on GitHub for traefik, as I understand it they changed from the way NS8 started out doing certs with a cert for every domain and subdomain “back” to the way it was done in NS7, that being a main domain cert and then all the rest of the names in the SAN field for alternative names, where you “should” now find all your subs instead of having a separate cert for each.
Oh no, really? In my opinion, that would be a real step backward. That would also affect the LE certificates of completely different mail domains. Why would someone want to use one certificate to show what other domains are on the server? That always annoyed me with NetHserver 7, and in my opinion, it was an improvement with NetHserver 8. What could be the reason for wanting to do it again? It’s beyond me.
In my case, I use a reverse proxy with certificate replacement in front of NETH8, but not for all of them. The mail server, in particular, uses its own ports and thus bypasses NGINX anyway – but not when issuing certificates.
The LE certificates are therefore retrieved by both the proxy and NETH8 – which is intentional. This also makes it easy to test whether the ACME passthrough to NETH8 is working. If it didn’t work (after a configuration change), it was displayed directly on NETH8, or it could be tested directly through a “special” domain without all services being affected. Now, ONE incorrect passthrough means NO more certificates on NETH8.
If this is really how it’s handled now, I wouldn’t find it strange. That would be a conceptual change that should have been communicated MUCH better. And it’s downright scary to think about what other uncommunicated changes are being made to the NETH8 concept.
I understand your concerns regarding the changes in certificate management after the Core 3.6.0 update. This change is a small step back before a bigger leap forward!
We are gradually introducing new features (see, for example, User portal, unprotected access from the outside - #14 by davidep), and the current UI still needs refinement. As we approach the end of milestone 8.4, I’ll provide more details in the official announcement and release notes.
With Core 3.6.0 and Traefik 3.0.0, ACME-issued TLS certificates are no longer listed under the “TLS Certificates” page. This change works around a bug that caused duplicate listings. Additionally, in some installations, the page became cluttered and difficult to read due to an excessive number of items. While the current situation isn’t ideal, it’s a temporary trade-off, and we plan to improve it in an upcoming UI update.
TLS certificates required by applications and obtained via ACME always have a single name—other application names are not revealed.
On the other hand, when you request a certificate from the “TLS Certificates” page, you are now configuring the main (first) and any additional (SAN) names for a single certificate, similar to how NS7 handled it. Applications that currently follow this approach include Mail, Ejabberd, and NethVoice Proxy. Given their use cases, the impact of revealing their hostnames in a single certificate is minimal.
So the list was omitted to hide a display error without having to address the problem (fast fix). I can understand that you don’t fix components that are replaced or changed anyway, but the argument about clarity doesn’t seem convincing to me. After all, there are other lists in NETH8 that probably have significantly more entries, e.g., the user lists.
Is there an info list I can sign up for to be informed about upcoming changes (and their consequences)? A “rolling release” with constant surprises (even if they may be progress) is too exciting for me.
I had to leave NetHserver 7 because there were no more CentOS updates. The process for NETH8 is partly underway and partly completed. When will I no longer be able to install NETH8 updates because the effects on my particular setting are unforeseeable?
Additionally, we’d like to implement an automated Nethbot summary of released features and bug fixes, but we haven’t had time to set it up yet.
The “rolling style” of NethServer releases and its development rules have remained the same since NethServer 6. I understand that this may feel more noticeable in a rapidly evolving product than in a mature one.