Mailu with nginx-proxy and docker-letsencrypt-nginx-proxy-companion setup

Try to change

TLS_FLAVOR=letsencrypt
in the .env file

It looks like your installation are looking for a cert.pem in the root of your /certs folder.
While letsencrypt store the cert in /mailu/certs/letsencrypt/live/yourdomain.com/

_if /mail/cert is empty. try look in /etc/letsencrypt and see if they are stored there._

No change. I tried also mail-letsencrypt.

$grep -v ^# .env|grep -v ^$
ROOT=/home/username/webstack/mailu
VERSION=stable
SECRET_KEY=ChangeMeChangeMeChangeMe
BIND_ADDRESS4=127.0.0.1
BIND_ADDRESS6=::1
DOMAIN=mydomain.com
HOSTNAMES=mail.mydomain.com
POSTMASTER=admin
TLS_FLAVOR=letsencrypt
AUTH_RATELIMIT=10/minute;1000/hour
DISABLE_STATISTICS=False
ADMIN=false
WEBMAIL=roundcube
WEBDAV=none
ANTIVIRUS=clamav
MESSAGE_SIZE_LIMIT=50000000
RELAYNETS=172.21.0.0/16
RELAYHOST=
FETCHMAIL_DELAY=600
RECIPIENT_DELIMITER=+
DMARC_RUA=admin
DMARC_RUF=admin
WELCOME=false
WELCOME_SUBJECT=Welcome to your new email account
WELCOME_BODY=Welcome to your new email account, if you can read this, then it is configured properly!
WEB_ADMIN=/home/username/webstack/mailu/admin
WEB_WEBMAIL=/home/username/webstack/mailu/webmail
SITENAME=My Domain
WEBSITE=https://mydomain.com
COMPOSE_PROJECT_NAME=mailu
PASSWORD_SCHEME=SHA512-CRYPT
ENABLE_CERTBOT=True

I still get doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 59: ssl_cert: Can't open file /certs/cert.pem: No such file or directory

The problem is that the cert is not created. But i am afraid that this is not possible due to JrCs/docker-letsencrypt-nginx-proxy-companion that has already created the certificates and placed them in the common folder that shares with nginx-proxy. I thought to edit docker-compose.yml and give the same path for the certs folder but i see that mailu needs cert.pem and key.perm names but in the folder i am speaking about there are certificate files with the name of the domains. For example

mail.mydomain.com.chain.pem
mail.mydomain.com.crt
mail.mydomain.com.dhparam.pem
mail.mydomain.com.key

On your server, there should be a folder named

/etc/letsencrypt/live/(yourdomainname)/

That has the following files:

cert.pem chain.pem fullchain.pem privkey.pem README

If not then:

1: close mailu/nginx:1.5.1 or any service that runs on 443
docker stop mailu_front_1
3 cd into certbot and
./certbot-auto certonly --standalone --email [email protected] -d yourdomain.com

Then change

    volumes:
      - "$ROOT/certs:/certs"

to

    volumes:
      - "/etc/letsencrypt/live/(yourdomainname):/certs"

In the docker-compose

do

docker-compose up -d to se If your server runs.

Alternativly you can create a script that Copy and rename the certificate files you allready have

cp /url/to/mail.mydomain.com.chain.pem /mailu/cert/letsencrypt/live/yourdomainname/chain.pem

mail.mydomain.com.chain.pem
mail.mydomain.com.crt
mail.mydomain.com.dhparam.pem
mail.mydomain.com.key

As a more general feedback, the changes you did to your Docker compose file will probably impact mail serving later. You should use the default Docker compose file and simply comment out and expose ports 80 and 443.

Then, either use the cert mode and copy the certificates from your jwilder companion, or use mail-letsencrypt. That last mode will let jwilder companion take care of the certificate for HTTPS requests and Mailu will still get a certificate from letsencrypt for Dovecot and Postfix directly.

Hello, I use nginx-proxy, docker-letsencrypt-nginx-proxy-companion and mailu.
Change MAIL.DOMAINE.COM,EMAIL.
Becare full, I separate network proxy and network proxy for the security.

• FILE docker-compose.yml

### version: '3'
networks:
  mail_network:
     driver: bridge
  proxy:
    external:
      name: proxyhttp_default 

services:
  front:
    image: mailu/nginx:$VERSION
    restart: always
    env_file: .env
    environment:
      - LETSENCRYPT_HOST=MAIL.DOMAINE.COM
      - LETSENCRYPT_EMAIL=EMAIL
      - VIRTUAL_HOST=MAIL.DOMAINE.COM
      - VIRTUAL_NETWORK=proxyhttp_mail_network
      - VIRTUAL_PORT=80
    ports:
    - "$BIND_ADDRESS4:110:110"
    - "$BIND_ADDRESS4:143:143"
    - "$BIND_ADDRESS4:993:993"
    - "$BIND_ADDRESS4:995:995"
    - "$BIND_ADDRESS4:25:25"
    - "$BIND_ADDRESS4:465:465"
    - "$BIND_ADDRESS4:587:587"
    - "$BIND_ADDRESS6:110:110"
    - "$BIND_ADDRESS6:143:143"
    - "$BIND_ADDRESS6:993:993"
    - "$BIND_ADDRESS6:995:995"
    - "$BIND_ADDRESS6:25:25"
    - "$BIND_ADDRESS6:465:465"
    - "$BIND_ADDRESS6:587:587"
    networks:
      - mail_network
      - proxy
    volumes:
      - "$PATH_PROXY_STORE/certs/MAIL.DOMAINE.COM/:/certs"

• File .env

TLS_FLAVOR=mail

I also have Mailu working with nginx-proxy and docker-letsencrypt-nginx-proxy-companion. I'm using a similar approach to what Archie1978 has posted including TLS_FLAVOR=mail, but hard-linking the certs into a place that Mailu expects them. See https://projects.torsion.org/witten/provisioning/src/branch/master/roles/mail_server/tasks/main.yml#L30 for more info.

It's cool that this can be made to work, but it would be great if this was a more supported configuration, because nginx-proxy seems pretty commonly used with Docker Compose.

Hey Guys,

I'm having a different but related issue. The following is my configuration:

version: '3'
services:
front:
image: mailu/nginx:$VERSION
restart: always
env_file: .env
environment:
- LETSENCRYPT_HOST=mail.dev.fjorlande.org
- [email protected]
- VIRTUAL_NETWORK=webproxy
- VIRTUAL_PORT=80
ports:
- "$BIND_ADDRESS4:110:110"
- "$BIND_ADDRESS4:143:143"
- "$BIND_ADDRESS4:993:993"
- "$BIND_ADDRESS4:995:995"
- "$BIND_ADDRESS4:25:25"
- "$BIND_ADDRESS4:465:465"
- "$BIND_ADDRESS4:587:587"
expose:
- '80'
- '443'
volumes:
- "/app/proxy/etc/nginx/certs/mail.dev.fjorlande.org/:/certs"
networks:
- mailu
- webproxy

The content of /app/proxy/etc/nginx/certs/mail.dev.fjorlande.org/ is the following:

xxxx$ ls -la /app/proxy/etc/nginx/certs/mail.dev.fjorlande.org
total 28
drwxr-xr-x 2 root root 4096 Feb 23 16:29 .
drwxr-xr-x 5 root root 4096 Feb 23 16:28 ..
lrwxrwxrwx 1 root root 63 Feb 23 16:29 account_key.json -> ../accounts/acme-v01.api.letsencrypt.org/directory/default.json
-rw-r--r-- 1 root root 2272 Feb 23 15:09 cert.pem
-rw-r--r-- 1 root root 1646 Feb 23 15:09 chain.pem
-rw-r--r-- 1 root root 0 Feb 23 16:29 .companion
-rw-r--r-- 1 root root 3919 Feb 23 15:09 fullchain.pem
-rw-r--r-- 1 root root 3271 Feb 23 15:09 key.pem

TLS Flavor:

TLS_FLAVOR=mail

Content of cert.pem:

-----BEGIN CERTIFICATE----- MIIGYjCCBUqgAwIBAgISBMXPuU/7Fove99dCUUTPR4omMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAyMjMxMzA5MDNaFw0x OTA1MjQxMzA5MDNaMCExHzAdBgNVBAMTFm1haWwuZGV2LmZqb3JsYW5kZS5vcmcw ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDz2wtfZUCCRnjL76devkyh 581daQIWaN6yAi4cF/UsVnWWcczDxQPydsKv6+NILmJX3/5+Z6WwYmN8t0sj2u7q B9O4QQwNEQU1KOLZwukOgDeC3F1yFsBKEeuOXZA6RlREkrWBbYqQ6Wknfpq3+9Gc a9Dga4nS6ErOcsu9e0YkgLR9UOE8Uj7nqdUL2Z8jy3ouadLuEmftKuVYivWDyV5c MYIvDdye22V7Iw9WEle5LA0bXOrbzcr3jjDhMaWBl2ZBvq9O9C+ClJEgOsHafmL1 EdWLs3usE9ObGmiIBBvrFihLfAO71L0OxBi6i0UWhVJKmR7F3S1dyVGbZWdTktvT C9b3nC0GR4PKk7ZyfFYWC+R9cFzgyrOpaVSxyuPniBpS75JyJfdigz6gvsVmt9A9 LiEX7i6/efOc1zSdbUdoBcDP+bTbEC4N5NsdMvJ5SMP2tUlOASf/5wINnlaZZ9r0 43mw8dZQOP+3l2NBtWBHS75shsgQGYw77bgH3IfA2W9IT9ouJS3z0gKbhZsM5+9b dOBO8lDBXA8DlbK/H2cxRU5LU3CAxNYPyNqKUqPjqTb7UJGeGWQX3s0BOVDK3dh0 Dg0vEidHfW8FAQfGLdo6wRilSw//g+l9ZYRhR6Mod4oXISB6UdyfcnqxNvQKlVNh t0nHosor7OoHULIBU2XA5QIDAQABo4ICaTCCAmUwDgYDVR0PAQH/BAQDAgWgMB0G A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud DgQWBBSwYcmj1WA5dcFFmxpVC0K7VcVYdTAfBgNVHSMEGDAWgBSoSmpjBH3duubR ObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9v Y3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9j ZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMCEGA1UdEQQaMBiCFm1haWwuZGV2 LmZqb3JsYW5kZS5vcmcwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMB AQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEC BgorBgEEAdZ5AgQCBIHzBIHwAO4AdQB0ftqDMa0zEJEhnM4lT0Jwwr/9XkIgCMY3 NXnmEHvMVgAAAWkasBy3AAAEAwBGMEQCIFPgtA4SXKdAsX3qhTrITh7iZ4Llkv2K +mfEcT3Lf5QwAiAt3A0qYEbIs6xRq/6kJMyts1ZAI0mhVMnNyv4O0d/hrAB1AGPy 283oO8wszwtyhCdXazOkjWF3j711pjixx2hUS9iNAAABaRqwHNYAAAQDAEYwRAIg V2atbn9JDjryB4rY2/KuQ5keyJvzLh1B3DfPcvOJ/WQCIGbpRXdgX3PpfxY1rEYe Jpwb1Uj2BJSvE1WThlXELUkgMA0GCSqGSIb3DQEBCwUAA4IBAQBxoVsfYduUUUE2 E5r4H+XcAotwKcqCvM0J3NUMnWTtyDcWUQLRcAteO1IGsqmHGefRYKX0iV759WC6 FY98EHMAYN+Q1U3hzCMecH4kpDdl7WR9kvoPGGu9Q0OEq0EZi/ie90b68vLj4t4K 42xQeu+zyPOeQ9CWHvbyN/fvyGxYBKBG7Mj6OXCJop9keqfPvege0lZ7dFvtSA4+ F2yZEN2m0kie+yC8PAHACfV3zyRIkU3lUpAA4qZzfRMgq2NDSl+G32ZkdtG1drU3 CCqwSjFPB3ZyJMiGv61gg0aY53bb/kHr9g8ZqikgHW+E0dWu9+oobSd/DFnT5UH7 bMnSbRWT -----END CERTIFICATE-----

But when i access: mail.dev.fjorlande.org the browser returns the following certificate (tensencrypt-companion):

BEGIN CERTIFICATE----- MIIE1DCCArwCCQCF5ob37ctpcjANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDDCFs ZXRzZW5jcnlwdC1uZ2lueC1wcm94eS1jb21wYW5pb24wHhcNMTkwMjIzMTM1MDQw WhcNMjAwMjIzMTM1MDQwWjAsMSowKAYDVQQDDCFsZXRzZW5jcnlwdC1uZ2lueC1w cm94eS1jb21wYW5pb24wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2 jpVlUPg5r8QcWx2QhXm++Htr9QQlg9lRvCCaGP4kYGSs/UdGbp9rJrx7b3VEE2In TH6KyYKhFv1ZL1+iI5PdPUtfUXfJC/u6I27mSDOGXKMupGniB+4HHVHMfvCofADS 6NHq1C96tw7KVFMGJw7L7kvixKe4yg0SWBSUCb6ARiT7xZgOz2QBDdLVihCLBxtq yTZLaMYuIWvI3rjFeAEL2i3YlsTuileH/msy0+9UATA/J3/ywkZF4I9aQwMfJe1l td+lGjg3oNhRuzLuWgvWWy8De8plicdhgalxXOM7g7+w4zgooJ70ThoqDkG9IZAn MtrL6nbJvVtoshmjg68SIgGOGVESJm5r3yfAQM8of5BaOVoQXo1AYpgv3sPERWXw nQ6bs06gqhpDfn+TZJIpGCgpiHQBRL7enMc22ObEL0W3rQrTu4WPkdPdXqpx2wE/ 5lt2qvdqzWw/sMBp1GuSGu2D2nES3xZL1RuR2q7/zw5dzw3LBTQKjAyIUqcHVIvx 24ddS/4gjHpOMdNLVJFaOzBrSz4dltcYUJpOPfZhcqr0dfhNqXrTrmty26Eh2Esu jKgKEyi9huLTvu2qRm/W443mEDPJh1qj2ZDpy7LwSn/50Gagt2eZ3mGvsc3RHVJd MVeKM1r09L8TepsVQUsiqJe1mJJ/Coh756mMtmTk2wIDAQABMA0GCSqGSIb3DQEB CwUAA4ICAQCA1T6cmf4FnyhDCVXa+XqTcf/IsGuB/HI1712vl6y2hc9czAX4wvwr +Wr5fNuiTetANHZLyiGFzFkQCeRL6lasEydcqXMKzFBYnFwtAhAMjnJG5OXpuKGz tIgZvKlDhytXwtf9r9HJc3SN2QmpCPgacdHuG9IlG6H6J8Bf9M/tUwSWmclQmJdi 21XgpwfOa3VWT5uD7nx9DZwb/X83JzZio0tODSDMsgrbuUIxjTymjjF2Lwe1hyUz UAY1BSUfzsDvyxeAdyzE9D7iSL17ZHKdhDx87rZd0SgqOIiw5Cuvf6YugDCDF7F7 3w1gN8HS1kXzqoULreM29pZhEA4zw7YBJqMce4/Dhbg5V6nHH13wQ/HLWut0ncNm 1tkmGRF3S7Rvm/OaQCpGz2xQ7bPTPV7a0EC113ShW+TxMSwLHGWonTjR1xWauHQs sfodkoqlzYzBaNI/JZCyJIYpvs+982l65fpTHDmkvYUxEtRkqcly0XMpg4zfyZMd ABAMmp2L8c5OAiqo0BqiW84iEacPTYR0+3OUfTaQaOQY+buPQBhZSgNwJf9O2/82 WpBii6qiFClgpfYvfNd+bC19CEcYAGWKuDo3yGkAtksYdWjEVQPc4ALk5jx7bFA7 psCH6BS0VCj+PL5q/TtvDNdryvCwiBWj8dk25giXESK6BV0J0EmSqA== -----END CERTIFICATE-----

Any ideas?

I don't see anything obviously causing this.. You've got the certs directory mounted in the right place, and you've got the correctly named cert/key files. One thing that's a little off is that you probably don't need expose for port 443 here. Just 80. Because nginx-proxy fronts the actual 443 https traffic and then talks to your container (in this case Mailu's own nginx container) over port 80. Probably unrelated to your problem, but who knows?

I don't see anything obviously causing this.. You've got the certs directory mounted in the right place, and you've got the correctly named cert/key files. One thing that's a little off is that you probably don't need expose for port 443 here. Just 80. Because nginx-proxy fronts the actual 443 https traffic and then talks to your container (in this case Mailu's own nginx container) over port 80. Probably unrelated to your problem, but who knows?

Unfortunately didn't solve the problem.