NS8 and DNS-01 wildcard certificates

Does anybody have a guide to setting up the DNS-01 challenge on NS8, and incorporating the resulting certificates into Traefik for HTTPS routing?

I have HTTP-01 working, but it requires that services are exposed to the Internet via HTTP in the first instance, and I have internal services accessed via DNS name that I do not want exposed to the internet.

Searching the forum provides some references to doing this on NS7, but I am unsure about the applicability to NS8.

1 Like

Traefik can obtain certificates through DNS-01, as documented here Let's Encrypt | Traefik | v2.4

Maybe it is possible to edit some .yml file in NS8 Traefik’s configuration. I don’t remember if someone in this forum was successful with it.

Once a solution is found, we can improve the official documentation with it.

Just further to this - I obtained a wildcard certificate (*.mydomain.net) manually, and imported it into Traefik.

This works for added HTTP Routes, but not for mail instances.

The reason is the install-certificates script for mail does not check for a domain wildcard, and only looks for the mail FQDN (i.e mail.mydomain.net)

From

The relevant section:

redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" key | base64 -d > server.key
          redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" cert | base64 -d > server.pem

I am assuming I could replicate the wildcard certificate/key into redis to match the mail hostname, but that would require additional steps when the certificate is updated.

It would be more better for the script to check for a wildcard domain match first and use that rather than just checking ${MAIL_HOSTNAME}.

I’ll see if I can figure out some code to do that.

2 Likes

Thank you for investigating this issue. We also have an open bug related to it: Wildcard custom certificates cannot be used for modules configuration · Issue #7004 · NethServer/dev · GitHub

So this is my go at the relevant chunk of code, replacing

redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" key | base64 -d > server.key
redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" cert | base64 -d > server.pem

if [[ $(head -c 5 server.key) != '-----' || $(head -c 5 server.pem) != '-----' ]]; then
    echo "[WARNING] ${service_image} certificate for ${MAIL_HOSTNAME} not found" 1>&2
    exit 2
fi

with

# In the first instance, look for a wildcard domain certificate

domain=`echo ${MAIL_HOSTNAME} | sed -n 's/[^.]*\.//p'`
wildcard="*.${domain}"

redis-exec HGET "module/${mtraefik}/certificate/${wildcard}" key | base64 -d > server.key
redis-exec HGET "module/${mtraefik}/certificate/${wildcard}" cert | base64 -d > server.pem
if [[ $(head -c 5 server.key) != '-----' || $(head -c 5 server.pem) != '-----' ]]; then
    # look for the MAIL_HOSTNAME certificate
    echo "[INFO] ${service_image} wildcard certificate for ${domain} not found" 1>&2
    redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" key | base64 -d > server.key
    redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" cert | base64 -d > server.pem
fi

# Do we have a valid certificate to install?
if [[ $(head -c 5 server.key) != '-----' || $(head -c 5 server.pem) != '-----' ]]; then
    echo "[WARNING] ${service_image} certificate for ${MAIL_HOSTNAME} not found" 1>&2
    exit 2
fi

It installed my wildcard certificate as expected into both dovecot and postfix.

I guess other modules may have a similar script.

3 Likes

Hi,

Are there any updates on the following topics?

  • Traefik with the DNS-01 challenge
  • Wildcard domain issues

As there have been no updates on this matter, I manually replaced the certificate files (selfsigned.crt and selfsigned.key) with the wildcard certificate in the following directory:

/home/traefik1/.config/state/

This solution is functioning correctly on all nodes and remains effective even after a reboot.

Note:
I also updated the certificates for Dovecot and Postfix at the following locations:

  • /home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/
  • /home/mail1/.local/share/containers/storage/volumes/postfix-cert/_data/
1 Like

I just discovered that this has already been posted previously at the following link:

1 Like