Custom Certificate Management

I need to provide a custom certificate for dovecot and postfix, so I use
api-cli run module/traefik1/upload-certificate --data '{"certFile":"...base64-cert....","keyFile":"...base64-key...."}'
and get in GUI Settings / TLS certificates my certificate with status “Uploaded”
=> perfect … that’s easy to use.

Then installed mail and set the “Mail server hostname” to the same name as that uploaded certificate.
dovecot and postfix both use selfsigned certificates - not my uploaded one

In GUI Settings / TLS certificates a new entry appears with my hostname and status “Not obtained”
Seems that traefik wants to get a Let’s Encrypt Certificate for that same name.

Question 1)
Where can we set the relationship between services and certificates?
(in my case)

  • dovecot => use this uploaded certificate
  • postfix => use that certificate
    or if if can only be done by container:
  • mail1 => use my uploaded certificate

trying to fix that manualy I put my certificate & key in
/home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/ and

That helps for dovecot, which now uses my certificate, but postfix still uses “nethserver.test”

Question 2)
in which location does postfix need the certificate to find/use it - or
where is postfix’s located - so that I can lookup myself

thx & :wink: Tom

This is a bug description :thinking:

Added a card to NethServer 8 · GitHub.

Writing files into container volumes with such absolute paths is dangerous. It bypasses the uid:gid namespace and leads to access issues. Refer to the app README instead, ns8-mail/ at main · NethServer/ns8-mail · GitHub.

In the NethServer/ns8-mail · GitHub is a typo in Section “Postfix custom configuration”:

# print the config values that differ from Postfix defaults ....
podman exec -ti dovecot doveconf -n

should be

podman exec -ti postfix postconf -n

if someone needs to deploy custom certificates for mail,
this is my first draft of a solution:

# dovecot
scp $cert_pfad/fullchain.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/server.pem
scp $cert_pfad/privkey.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/server.key

# postfix
cp $cert_pfad/privkey.pem /tmp/fullchain.pem
cat $cert_pfad/fullchain.pem >> /tmp/fullchain.pem
scp $cert_pfad/fullchain.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/postfix-cert/_data/server.pem
scp $cert_pfad/privkey.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/postfix-cert/_data/server.key
scp /tmp/fullchain.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/postfix-cert/_data/fullchain.pem
rm /tmp/fullchain.pem

uncommented=$( ssh $nethserver_ip 'cat /home/mail1/.config/systemd/user/dovecot.service | grep "#ExecStartPre=-runagent install-certificate dovecot"' )
if [ -z "$uncommented" ]; then 
    ssh $nethserver_ip 'sed -i "/^ExecStartPre=-runagent install-certificate dovecot$/s/^/#/" /home/mail1/.config/systemd/user/dovecot.service'
    ssh $nethserver_ip 'runagent -m mail1 systemctl --user daemon-reload'
    echo "disabled install-certificate dovecot"

uncommented=$( ssh $nethserver_ip 'cat /home/mail1/.config/systemd/user/postfix.service | grep "#ExecStartPre=-runagent install-certificate postfix"' )
if [ -z "$uncommented" ]; then 
    ssh $nethserver_ip 'sed -i "/^ExecStartPre=-runagent install-certificate postfix$/s/^/#/" /home/mail1/.config/systemd/user/postfix.service'
    ssh $nethserver_ip 'runagent -m mail1 systemctl --user daemon-reload'
    echo "disabled install-certificate postfix"

ssh $nethserver_ip 'runagent -m mail1 systemctl restart --user dovecot.service'
ssh $nethserver_ip 'runagent -m mail1 systemctl restart --user postfix.service'
  • $cert_pfad is the path where my certificates are stored
  • in /tmp/fullchain.pem a file for postfix - with the key and the full certificate chain is being created
  • in both if “uncommented” statements I disable install-certificate for dovecot and postfix, which would overwrite the manual copied files
  • This script runs on my Nginx Proxy Manager machine and delivers the current certificate to the nethserver machine
1 Like

update: second draft of a solution:
Disabling install-certificate in the dovecot and postfix .service’s was not the way, because it is being triggered somewhere else.
So I decided to disable the install-certificate script itself by inserting an exit line at the top:

install_certificate_disabled=$( ssh $nethserver_ip 'sed -n '2p' /home/mail1/.config/bin/install-certificate' )
if [ -z "$install_certificate_disabled" ]; then 
    ssh $nethserver_ip 'sed -i "1 aexit 0" /home/mail1/.config/bin/install-certificate'
    echo "disabled install-certificate script"

so far my deployed certificate does not get overwritten…