Traefik cert acme error

loryaegis · July 30, 2025, 6:40am

NethServer Version: NS8
Module: treafik

Hello everyone, I have a problem with the certificate configuration file.

Webtop works correctly, but the email client is giving an error, and the error message says that the server I set up in the client (which works in webtop) is not in the list of domains validated by the certificate.

I checked inside acme.json and it is indeed missing.

runagent -m traefik1 nano acme/acme.json { "domain": { "main": "node1.********.com", "sans": [ "nextcloud.*********.com", "****.*****.com" ] },

The certificate was requested and obtained, and appears in Settings->TLS certificates →

Here, four certificates appear, while only three appear in the acme file.

I checked in the HTTP routes and it is indeed there. It is a default configuration. In fact, it is the fqdn of webtop1 set during migration.

mrmarkuz · July 30, 2025, 6:46am

I found that you requested the certs for the apps in another thread.

The certificates for the apps must not be obtained from the “TLS certificates” page. The apps have their own cert.
Please try to delete the app certs from the TLS certificates page.
If there are issues deleting the certs, see All certificates are expired or expiring - nothing renewing - #6 by mrmarkuz

loryaegis · July 30, 2025, 6:58am

hi @mrmarkuz
Yes, that’s the problem I was telling you about yesterday. I deleted the certificate in “TLS certificates.” Now it no longer appears in acme/acme.json

[traefik1@c1lb state]$ runagent -m traefik1 cat configs/_default_cert.yml
tls:
  stores:
    default:
      defaultGeneratedCert:
        resolver: acmeServer
        domain:
          main: node1.******.com
          sans:
          - nextcloud.******.com
          - **.******.com

In the guide you sent me, it is not clear to me how to request a correct certificate from the app.

mrmarkuz · July 30, 2025, 7:01am

For example the mail app just obtains a certificate if possible, other apps provide a switch to enable Letsencrypt in the app settings.

loryaegis · July 30, 2025, 7:17am

I enabled the certificate within Webtop. I don’t use Roundcube for webmail, only Webtop. I waited several minutes and closed and reopened Thunderbird, but it keeps telling me that the certificate is incorrect.

mrmarkuz · July 30, 2025, 7:27am

If you use Thunderbird for mailing then it’s about the mail app certificate.
Just contacts and calendars are in Webtop.
Check the mail server name in the mail app settings. If there’s a cert for it in the TLS certificates page, remove it. Check if DNS is working correctly for the mail server name.
Finally click save in the mail app settings to obtain the cert.

loryaegis · July 30, 2025, 7:46am

Exactly! That’s the problem.

Initially, I requested a certificate for the FQDN for the mail app and webtop. Following your instructions, I removed the certificate I requested yesterday from the settings->TLS certificates section.

As per my previous post, I went to the Webtop app and enabled the certificate request in the app settings.

Now, when I go to Settings->TLS Certificates, my Webtop certificate does not appear. If I try to request it, I get a message saying that there is already an app that has requested this certificate (Webtop?) and therefore it is not possible to request it again.

mrmarkuz · July 30, 2025, 7:49am

That’s correct.
The app certificates do NOT appear at the TLS certificates page.
On the TLS certificates page only certs for the cluster node should appear and NO app cert.
Please don’t request app certs on the TLS cert page.

loryaegis · July 30, 2025, 7:53am

OK, but I still get an error even if I restart the Traefik service.

So is the certificate for emails also shared for webtop? I think so. I don’t see the option to request a certificate for emails in the mail app settings.

In thunderbird, If I click on “show certificate,” the FQDN for emails does not appear, but rather that of the cluster node.

mrmarkuz · July 30, 2025, 7:56am

The mail app has no switch because a mail server without certificate doesn’t work at all so the mail app always tries to get a certificate.

Did you set the right mail server name in Thunderbird?

loryaegis · July 30, 2025, 7:56am

There’s something I don’t understand. In the Mail app settings → General settings → Mail server host name, I see the cluster’s FQDN. Should that be the one I use in Webtop?

mrmarkuz · July 30, 2025, 7:57am

No, it should be the mail server name like mail.domain.tld.
The same mail server name should be used in thunderbird.
If the mail server name is the same as the cluster name you should change one of them.

loryaegis · July 30, 2025, 7:57am

Yes, Thunderbird is set up correctly.

loryaegis · July 30, 2025, 7:59am

So, if I change my correct FQDN (which I also use in Webtop) in the general settings, everything should work, right?

mrmarkuz · July 30, 2025, 8:02am

Please don’t use the same FQDN for more than one app/node.

You have a cluster node, for example node.domain.tld.
You have a mail server, for example mail.domain.tld.
You have webtop, for example webtop.domain.tld.

In Thunderbird for mails set mail.domain.tld.
For contacts and calendars, set webtop.domain.tld.