Setting the dovecot certificate with import-certificate

Simon_Blakely · May 1, 2024, 5:19am

NethServer Version: Nethserver 8
Module: mail

Github tells me that I can use import-certificate to provide the correct certificate (wildcard domain certificate) to dovecot (I have a client that insists on certificate validation).

import-certificate

Reads a Tar file from standard input. The following archive contents are relevant:

    server.pem, server TLS certificate
    server.key, server certificate private key
    dh.pem, Diffie-Hellman group

However, I cannot for the life of me figure out how to provide the tar file to the command

tar c -f - server.key server.pem dh.pem | podman exec -t dovecot import-certificate

just hangs.

Am I on completely the wrong track here?

dnutan · May 1, 2024, 9:34am

Here you can see what the script is supposed to do.

Simon_Blakely · May 1, 2024, 10:05am

I have looked at the script. The relevant line is line 16

tar x -o -f -

this extracts (x -o) a tar file getting input from stdin (-f -).

If I could manually get the tar file into the container I could follow the rest of the script, but I haven’t found a good mechanism to do that either.

But passing the tar file via stdin seems to be the intended solution - but I don’t really understand how to do this successfully.

dnutan · May 1, 2024, 12:30pm

Here’s an example of a script that is using import-certificate:

github.com

NethServer/ns8-mail/blob/520caaaed0004462f57ef638454f10f664fd78a3/imageroot/bin/install-certificate#L45


      
          mtraefik=$(redis-exec GET "node/${NODE_ID}/default_instance/traefik")
          
          redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" key | base64 -d > server.key
          redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" cert | base64 -d > server.pem
          
          if [[ $(head -c 5 server.key) != '-----' || $(head -c 5 server.pem) != '-----' ]]; then
              echo "[WARNING] ${service_image} certificate for ${MAIL_HOSTNAME} not found" 1>&2
              exit 2
          fi
          
          tar -c -O server.key server.pem ${with_dh_group:+dh.pem} | podman run \
              --interactive \
              --replace --rm --name "${service}-import-certificate" \
              --image-volume=tmpfs \
              --volume="${service}-cert:/etc/ssl/${service}:z" \
              "${service_image}" \
              import-certificate
          
          # Important! preserve import-certificate exit code

I guess it needs to be executed inside the user/container (runagent -m mail1), copying cert files over there, setting permissions before importing… However I don’t know what is necessary and what isn’t.
Also unsure if final full path (as seen by root) would be /home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/

Maybe @andre8244 can give a hint.

Simon_Blakely · May 1, 2024, 9:02pm

Looks like -t (create a pseudoTTY) was the problem - which sort of makes sense. We are redirecting binary output from tar, so the pseudoTTY gets hung up on non-text characters.

This command works (using -i or –interactive):

tar c -f - server.key server.pem dh.pem | podman exec -i dovecot import-certificate

I actually fixed this manually last night, because someone thoughtfully left vi in the dovecot container (which is not always the case). I was able to recreate the required files in the container using copy/paste and use the commands from the script to get them in the right place. Once that was in place, my imap client was able to connect via TLS.

I’ll need to completely automate certificate update (using DNS-01 from the gateway) and distribution, though, across multiple disparate systems. So getting these commands working is pretty critical.