Setting the dovecot certificate with import-certificate

NethServer Version: Nethserver 8
Module: mail

Github tells me that I can use import-certificate to provide the correct certificate (wildcard domain certificate) to dovecot (I have a client that insists on certificate validation).


Reads a Tar file from standard input. The following archive contents are relevant:

    server.pem, server TLS certificate
    server.key, server certificate private key
    dh.pem, Diffie-Hellman group

However, I cannot for the life of me figure out how to provide the tar file to the command

tar c -f - server.key server.pem dh.pem | podman exec -t dovecot import-certificate

just hangs.

Am I on completely the wrong track here?

Here you can see what the script is supposed to do.

1 Like

I have looked at the script. The relevant line is line 16

tar x -o -f -

this extracts (x -o) a tar file getting input from stdin (-f -).

If I could manually get the tar file into the container I could follow the rest of the script, but I haven’t found a good mechanism to do that either.

But passing the tar file via stdin seems to be the intended solution - but I don’t really understand how to do this successfully.

Here’s an example of a script that is using import-certificate:

I guess it needs to be executed inside the user/container (runagent -m mail1), copying cert files over there, setting permissions before importing… However I don’t know what is necessary and what isn’t.
Also unsure if final full path (as seen by root) would be /home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/

Maybe @andre8244 can give a hint.

1 Like

Looks like -t (create a pseudoTTY) was the problem - which sort of makes sense. We are redirecting binary output from tar, so the pseudoTTY gets hung up on non-text characters.

This command works (using -i or –interactive):

tar c -f - server.key server.pem dh.pem | podman exec -i dovecot import-certificate

I actually fixed this manually last night, because someone thoughtfully left vi in the dovecot container (which is not always the case). I was able to recreate the required files in the container using copy/paste and use the commands from the script to get them in the right place. Once that was in place, my imap client was able to connect via TLS.

I’ll need to completely automate certificate update (using DNS-01 from the gateway) and distribution, though, across multiple disparate systems. So getting these commands working is pretty critical.

1 Like