Does anybody have a guide to setting up the DNS-01 challenge on NS8, and incorporating the resulting certificates into Traefik for HTTPS routing?
I have HTTP-01 working, but it requires that services are exposed to the Internet via HTTP in the first instance, and I have internal services accessed via DNS name that I do not want exposed to the internet.
Searching the forum provides some references to doing this on NS7, but I am unsure about the applicability to NS8.
1 Like
davidep
(Davide Principi)
October 28, 2024, 8:49am
2
Traefik can obtain certificates through DNS-01, as documented here Let's Encrypt | Traefik | v2.4
Maybe it is possible to edit some .yml file in NS8 Traefik’s configuration. I don’t remember if someone in this forum was successful with it.
Once a solution is found, we can improve the official documentation with it.
Just further to this - I obtained a wildcard certificate (*.mydomain.net) manually, and imported it into Traefik.
This works for added HTTP Routes, but not for mail instances.
The reason is the install-certificates script for mail does not check for a domain wildcard, and only looks for the mail FQDN (i.e mail.mydomain.net )
From
#!/bin/bash
#
# Copyright (C) 2023 Nethesis S.r.l.
# SPDX-License-Identifier: GPL-3.0-or-later
#
set -e
if [[ -z "${MAIL_HOSTNAME}" ]]; then
exit 3 # Module is not fully configured, abort execution.
fi
declare -A images
images=([postfix]="${MAIL_POSTFIX_IMAGE}" [dovecot]="${MAIL_DOVECOT_IMAGE}")
service="${1:?}"
service_image="${images[$service]:?Unknown service $service}"
This file has been truncated. show original
The relevant section:
redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" key | base64 -d > server.key
redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" cert | base64 -d > server.pem
I am assuming I could replicate the wildcard certificate/key into redis to match the mail hostname, but that would require additional steps when the certificate is updated.
It would be more better for the script to check for a wildcard domain match first and use that rather than just checking ${MAIL_HOSTNAME}.
I’ll see if I can figure out some code to do that.
2 Likes
davidep
(Davide Principi)
November 4, 2024, 7:56am
4
So this is my go at the relevant chunk of code, replacing
redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" key | base64 -d > server.key
redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" cert | base64 -d > server.pem
if [[ $(head -c 5 server.key) != '-----' || $(head -c 5 server.pem) != '-----' ]]; then
echo "[WARNING] ${service_image} certificate for ${MAIL_HOSTNAME} not found" 1>&2
exit 2
fi
with
# In the first instance, look for a wildcard domain certificate
domain=`echo ${MAIL_HOSTNAME} | sed -n 's/[^.]*\.//p'`
wildcard="*.${domain}"
redis-exec HGET "module/${mtraefik}/certificate/${wildcard}" key | base64 -d > server.key
redis-exec HGET "module/${mtraefik}/certificate/${wildcard}" cert | base64 -d > server.pem
if [[ $(head -c 5 server.key) != '-----' || $(head -c 5 server.pem) != '-----' ]]; then
# look for the MAIL_HOSTNAME certificate
echo "[INFO] ${service_image} wildcard certificate for ${domain} not found" 1>&2
redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" key | base64 -d > server.key
redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" cert | base64 -d > server.pem
fi
# Do we have a valid certificate to install?
if [[ $(head -c 5 server.key) != '-----' || $(head -c 5 server.pem) != '-----' ]]; then
echo "[WARNING] ${service_image} certificate for ${MAIL_HOSTNAME} not found" 1>&2
exit 2
fi
It installed my wildcard certificate as expected into both dovecot and postfix.
I guess other modules may have a similar script.
3 Likes
amulyawan
(Agustinus Mulyawan)
January 23, 2025, 2:39pm
6
Hi,
Are there any updates on the following topics?
Traefik with the DNS-01 challenge
Wildcard domain issues
As there have been no updates on this matter, I manually replaced the certificate files (selfsigned.crt
and selfsigned.key
) with the wildcard certificate in the following directory:
/home/traefik1/.config/state/
This solution is functioning correctly on all nodes and remains effective even after a reboot.
Note:
I also updated the certificates for Dovecot and Postfix at the following locations:
/home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/
/home/mail1/.local/share/containers/storage/volumes/postfix-cert/_data/
1 Like
amulyawan
(Agustinus Mulyawan)
January 23, 2025, 5:09pm
7
I just discovered that this has already been posted previously at the following link:
if someone needs to deploy custom certificates for mail,
this is my first draft of a solution:
# dovecot
scp $cert_pfad/fullchain.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/server.pem
scp $cert_pfad/privkey.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/server.key
# postfix
cp $cert_pfad/privkey.pem /tmp/fullchain.pem
cat $cert_pfad/fullchain.pem >> /tmp/fullchain.pem
scp $cert_pfad/fullchain.pem $nethse…
1 Like