Mailcow-dockerized: ssh problem nginx
Hi,
i got the latest update and with it, a ssh problem in nginx.
I skipped the acme-mailcow for letsencrypt, cause my port 80 is already used and I'm managing my certificates by my own.
When i connect to the webinterface via https://mailserver.tld:https-port/admin.php, I got a wrong certificate from the mailcow-nginx.
The certificate CN is "mail.example.org" .
I already got a certificate for my Domain (certbot, letsencrypt) in /etc/letcsencrypt/live/domainname/...
According to /data/conf/nginx/site.conf, the ssl-path is /etc/ssl/mail/cert.pem .
I also made a copy of my cert and put it right there, but changes nothing.
If i change the path in the site.conf, I'm not abled to reach the nginx after a restart of the nginx container.
Am I doing something completely wrong or did I miss anything in the configuration??
Thanks and greets!
oneiros66
All 5 comments
Actually, you are placing your ssl cert in the wrong path. the path that was used in /data/conf/nginx/site.conf links to the internal file-system of the container. The correct path to place your cert is data/assets/ssl/: the combined certificate with its intermediate CA/CA as cert.pem and the key as key.pem.
To do this:
- add
SKIP_LETS_ENCRYPT=yto mailcow.conf - backup your current mailcow ssl cert.
- remove the old mailcow ssl cert with:
rm data/assets/ssl/cert.pem; rm data/assets/ssl/key.pem` - hardlink your existing LE cert with:
ln $(readlink -f /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem) data/assets/ssl/cert.pem ln $(readlink -f /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem) data/assets/ssl/key.pem - restart mailcow-dockerized
For more info, please refer to the documentation about SSL
~ #384
PhoenixPeca
on 28 Jun 2017
Hi,
thanks for the quick answer.
Cause I cannot hardlink the certs, I softlinked them, but this shouldn't be the problem IMO.
As i restarted the Mailcow, my certificate links got overwritten by normal cert.pem's.
Let's encrypt is getting skipped, the log from docker-compose logs acme-mailcow proofs it.
"Attaching to mailcowdockerized_acme-mailcow_1
acme-mailcow_1 | SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..."
Is it a problem with the softlink?
oneiros66
on 29 Jun 2017
Yes, it is a problem with the softlink. Apparently, the destination of these softlinks are assumed to be found in the internal file-system of the container instead of the host machine's FS, so softlinks get broken and that's why mailcow replaces it with a new one.
here's an alternative solution:
cp /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem data/assets/ssl/cert.pem
cp /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem data/assets/ssl/key.pem
~ https://stackoverflow.com/questions/31881904/docker-follow-symlink-outside-context
PhoenixPeca
on 29 Jun 2017
Ah okay. Maybe I gonna avoid the cross-device problem in the future, but for first, I simply gonna add the copy in the cert-renew cronjob ^-^
Thanks a lot!
oneiros66
on 29 Jun 2017
Ok, 馃槃 I'll be closing this for now. Please comment back if you are still having the issue and I will be glad to reopen this for you.
Good Luck!
PhoenixPeca
on 29 Jun 2017
Related issues
thannaske
路
3Comments
constin
路
3Comments
CrAazZyMaN21
路
3Comments
Braintelligence
路
3Comments
patrick7
路
3Comments
Most helpful comment
Actually, you are placing your ssl cert in the wrong path. the path that was used in
/data/conf/nginx/site.conflinks to the internal file-system of the container. The correct path to place your cert isdata/assets/ssl/: the combined certificate with its intermediate CA/CA as cert.pem and the key as key.pem.To do this:
SKIP_LETS_ENCRYPT=yto mailcow.confrm data/assets/ssl/cert.pem; rm data/assets/ssl/key.pem`ln $(readlink -f /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem) data/assets/ssl/cert.pem ln $(readlink -f /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem) data/assets/ssl/key.pemFor more info, please refer to the documentation about SSL
~ #384