Mailcow-dockerized: Trying to use Cloudflare Origin CA certificate
Hi,
I installed Mailcow and the installation was successful, and I was able to connect to connect to the website. I then decided to use my own certificates by using Origin Certificates by Cloudflare. As per the Mailcow's documentation, I disabled Mailcow's internal LE client, replaced data/assets/ssl/cert.pem with Cloudflare Origin CA root certificates on the top and my Origin Certificate on the bottom. I then replaced data/assets/ssl/key.pem with my private key and restarted all affected services, and tried to connect to the website . It connected, but there was an security error and had to make an exception to access the website. I tried reversing the entire process to troubleshoot the issue (except that I wasn't able to restore cert.pem and key.pem because I didn't have the original contents, so I just kept the new contents), and the website just broke at this point. It was "unable to connect." The Cowmail docs doesn't seem to show how to generate the relevant error logs for this issue.
I would appreciate any help. Thanks.
Thanks.
GalacticLion7
All 3 comments
This should be taken to the support channel and not to the bug tracker. Please also check your nginx logs, they will probably tell you what is going wrong.
Cloudflare Origin CA
That doesn't sound like a good idea. That CA isn't trusted by web browsers, so it would only be useful if you want to put Cloudflare in front of your web server. However, in that case you need to make sure to not also put Cloudflare in front of your SMTP/IMAP server -- in the default Cloudflare configuration, the mail server would become useless.
mkuron
on 3 Apr 2020
But if I wanna use my own certificate from DigiCert or Let's Encrypt, would I follow the same method I used? The issue didn't seem to be Cloudflare-related, as I wasn't able to connect to the Mailcow UI host at all after I changed the cert. I didn't get the chance to see the bad certificate prompt or anything.
Also, how is the Cloudflare Origin CA not trusted? Cloudflare is very leading.
GalacticLion7
on 25 Apr 2020
You don't appear to understand the nature of the Cloudflare Origin CA certs?
With Origin CA certificates, we鈥檝e stripped everything that鈥檚 extraneous to communication between our servers and yours to produce the smallest possible certificate and handshake. For example, we have no need to bundle intermediate certificates to assist browsers in building paths to trusted roots; no need to include signed certificate timestamps (SCTs) for purposes of certificate transparency and EV treatment; no need to include links to Certification Practice Statements or other URLs; and no need to listen to Online Certificate Status Protocol (OCSP) responses from third-parties.
https://blog.cloudflare.com/cloudflare-ca-encryption-origin/
You also don't appear to have appreciated the point made by @mkuron above that Cloudflare only reverse proxies port 80 and 443 — if you use Cloudflare then ports 25, 110, 143, 465, 587, 993 and 995 won't work as Cloudflare don't proxy them and these ports are needed for the mail server to work, so it won't work… :roll_eyes:
chriscroome
on 25 Apr 2020
Related issues
damdinsharav
路
3Comments
K2rool
路
3Comments
phipag
路
3Comments
starcraft0429
路
3Comments
zkryakgul
路
3Comments
Most helpful comment
This should be taken to the support channel and not to the bug tracker. Please also check your nginx logs, they will probably tell you what is going wrong.
That doesn't sound like a good idea. That CA isn't trusted by web browsers, so it would only be useful if you want to put Cloudflare in front of your web server. However, in that case you need to make sure to not also put Cloudflare in front of your SMTP/IMAP server -- in the default Cloudflare configuration, the mail server would become useless.