Dovecot Certificate Expired

NethServer Version: ns8
Module: dovecot

Hello, today i realized that dovecot uses another certificate than traefik. When i changed from ns7 to ns8 i first used the automatic installed mail certificate. Later i put ns8 behind an nginx proxy for 80,443 so it cant renew the certificate itself. An i uploaded a wildcard certificate to ns8. this works for all other applications like nextcloud, cluster-admin etc.

So i deleted all certificates and give direct access via 80 and 443 so ns8 can install itself a new certificate. This works, but dovecot always get the old certificate. Can someone give me and advice where the certificates are stored. I found a few topics like

Or how i can use the wildcard certificate with dovecot.

Thank you

strauch

With redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" key in mail1 i got the wrong certificate, but where is the file behind that?

Does it help to reinstall the certificate in dovecot?

runagent -m mail1 install-certificate dovecot

That should put the right cert to /home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/.

Traefik stores it’s certs in one file in /etc/traefik/acme/acme.json, to access it in the container using vi you could use following command:

runagent -m traefik1 podman exec -ti traefik vi /etc/traefik/acme/acme.json

Hello Markus, thank you for your help, with the command:

runagent -m mail1 install-certificate dovecot

i got the old certificate again in this place. When i delete the files in the folder /home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/ i got the files again, after i run the above command.
It seems like the acme dind’t install a new certificate, when i run it i cant see anything in the logfile. Do you now the command to execute it from the cli to see any answer in the bash?

puhh i got it. there was an error to write in the acme.json. i only edit this file. restart the service and in the logfiles i see, that he renew the certificate… thanks for your advice that brings me on the right way.

Hello.

I’m having something similar.

I can’t get certificates to work with mail node.

runagent -m mail1 install-certificate dovecot returns:

Traceback (most recent call last):
File “/usr/local/bin/runagent”, line 112, in os.execvp(args.COMMAND, [args.COMMAND] + args.ARGS)
File “”, line 574, in execvp
File “”, line 616, in _execvpe
File “”, line 607, in _execvpe
FileNotFoundError: [Errno 2] No such file or directory

On the other hand, file /etc/traefik/acme/acme.json includes all domains I use with respective certificate.

Bottom line, I don’t see how can I connect mail clients to Nethserver mail with certificates…

Not my first NS8 running. But this one in particular, don’t know why is not working.

Did you already try to reconfigure the mail server by clicking save in the app settings?

If you requested a certificate for the mail app on the TLS certificates page you need to delete it.
The NS8 apps use their own certificate.
Check following thread to find and delete the bad cert entries manually if it’s not possible from UI:

This command doesn’t work anymore.

Thanks for the quick reply.

I know what is wrong now

On the mail app hostname is only “domain.tld” where I usually always set it as mail.domain.tld.

Is it possible to edit this hostname?

Yes, in the mail app settings:

image1939×1103 103 KB

I feel embaraced
And thankfull

Was probably too tired to see the basic

Thank you. Another detail to my notes.
Certificates management is not at all like NS7. One must let every app take care of it. I went on all my nethsecurity remove certificate issuing for this and that, and let apps like nextcloud, webtop, take care of it by themselves on Nethserver.

Hope it helps others. But nothing helps more than paying close attention to what you do

Thanks again…