Error in loading TLS certificate

a.gennari · February 28, 2025, 3:00pm

NethServer Version: 8
Module: TLS Certificates

I have and error when I try to load a TLS certificate on Neth Server

Can you help me to understand why?

Thanks in advance.

Alessio

mrmarkuz · February 28, 2025, 11:04pm

Is the uploaded certificate listed on the TLS certificate page?

NS8 expects the domain in the “Subject” field of the certificate but it may contain something else, see also Certificate upload Error - #9 by mrmarkuz

a.gennari · March 1, 2025, 10:11am

Hello, thank you for your answer. I found that the error message its probably a bug or something similar.
After I got the error I found that the certificate was loaded correctly

So can I send you some logs to identify if it is a bug or anything else?

Regards.

Alessio

mrmarkuz · March 1, 2025, 10:50am

Thanks for your feedback and welcome to NethServer Community.

Just to confirm the bug, could you share the certificate subject?

openssl x509 -noout -subject -in YOURCERTFICATE.crt -nameopt sep_multiline -nameopt utf8

a.gennari · March 1, 2025, 11:03am

Here is:

subject=
C=IT
ST=SI
L=Cusona
O=Trigano S.p.a.
OU=IT
CN=smtp.domain.tld
emailAddress=user@domain.tld

Alessio

mrmarkuz · March 1, 2025, 11:24am

Thanks, I’ll have a look at it.
I masked your domain and email.

a.gennari · March 1, 2025, 11:25am

Moreover I found another issue: it seems that the uploaded TLS certificate is not used by Email app for STARTTLS/SSL connections.

How can I achieve that?

Alessio

a.gennari · March 1, 2025, 11:25am

Many thanks for obfuscation

mrmarkuz · March 1, 2025, 11:29am

Does it help to click save in the NS8 mail settings to restart the mail services?

Or restart postfix from CLI:

runagent -m mail1 systemctl --user restart postfix

a.gennari · March 1, 2025, 12:37pm

I tried everything you suggested me, but no way. I tried to reboot the server also.

Anyway I did not find anything related to certificates in email application settings.

Is it right?

Alessio

transocean · March 1, 2025, 1:00pm

Anyway I did not find anything related to certificates in email application settings.

Is it right?

Yes, that is right.

a.gennari · March 1, 2025, 1:29pm

Ok, anyway it seems there are no certificates when I try a STARTTLS connection on port 587 of the SMTP relay.

Any ideas?

mrmarkuz · March 1, 2025, 1:51pm

You could try following command to install the cert in postfix:

runagent -m mail1 install-certificate postfix

See also Dovecot Certificate Expired - #3 by mrmarkuz

a.gennari · March 1, 2025, 5:25pm

I got a warning:

But I checked and a certificate for that fqdn is present in TLS certificates under Cluster settings.

a.gennari · March 1, 2025, 5:48pm

At the end I managed to achieve my goal to have certificate on smtp relay: I copy needed files in /home/mail1/.local/share/containers/storage/volumes/postfix-cert/_data/ folder

I had to create three files:

Now the relay it’s up and running.