Docker Mailserver
letsencrypt certificate expired #3429
Replies: 2 comments 1 reply
-
|
You should probably share how you're mounting the certs to DMS container as well? Is it the same volume mount as you've got in your If it's using an old certificate, maybe look at what the container itself sees. It's possible that it's not aware of the updated file contents internally. If the file has changed, then probably what needs to happen is Postfix/Dovecot is restarted, this should happen by default unless you're using LDAP. If you are using LDAP you'll have to manually restart the DMS service ( |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for your kind reply, and apologies for the delay on my
side. There was some other trouble because of which I was unable to
work on the server. Am back at it now.
You should probably share how you're mounting the certs to DMS container as
well?
This is how the volumes are mounted in docker-compose.yml
```yml
volumes:
- ./docker-data/certbot/certs/:/etc/letsencrypt
- ./docker-data/dms/mail-data/:/var/mail/
- ./docker-data/dms/mail-state/:/var/mail-state/
- ./docker-data/dms/mail-logs/:/var/log/mail/
- ./docker-data/dms/config/:/tmp/docker-mailserver/
- ./config/dovecot/10-custom.conf:/etc/dovecot/conf.d/10-custom.conf
- ./certs/:/certs
- /etc/localtime:/etc/localtime:ro
```
Is it the same volume mount as you've got in your docker run snippet
above?
Yes, I think.
```bash
docker run --rm -it \
-v "${PWD}/docker-data/certbot/certs/:/etc/letsencrypt/" \
-v "${PWD}/docker-data/certbot/logs/:/var/log/letsencrypt/" \
-p 80:80 \
certbot/certbot certonly --standalone -d mymailhost.com
```
I am guessing you're following the Certbot LetsEncrypt advice in our
docs?
The only problem I have is that the same server also runs
Nextcloud. So, I manually update my ssl certs by shutting down the
Nextcloud dockers, and then running the above docker run commands.
If it's using an old certificate, maybe look at what the container itself sees.
Can you kindly tell me how to do this? How do I find out what the container sees?
It's possible that it's not aware of the updated file contents internally. If
the file has changed, then probably what needs to happen is Postfix/Dovecot is
restarted, this should happen by default unless you're using LDAP.
No I am not using LDAP (I wanted to, but could not figure out how to. Am not very familiar with LDAP.)
If you are using LDAP you'll have to manually restart the DMS service (docker
compose up --force-recreate) and it should work then. In future that may not be
required, just requires some additional work to our change detector support.
I did `docker compose up --force-recreate` anyway but I get loads of errors like this:
```
mailserver | Jul 23 10:07:46 mymailhost postfix/smtps/smtpd[1530]: Anonymous TLS connection established from unknown[xx.xxx.xx.xxx]: TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256 (128/128 bits)
mailserver | Jul 23 10:07:48 mymailhost postfix/smtps/smtpd[1512]: warning: unknown[xx.xxx.xx.94]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mailserver | Jul 23 10:07:48 mymailhost postfix/smtps/smtpd[1507]: lost connection after AUTH from unknown[xx.xxx.xx.xxx]
mailserver | Jul 23 10:07:48 mymailhost postfix/smtps/smtpd[1507]: disconnect from unknown[xx.xxx.xx.116] ehlo=1 auth=0/1 rset=1 commands=2/3
mailserver | Jul 23 10:07:49 mymailhost postfix/smtps/smtpd[1541]: lost connection after AUTH from unknown[xx.xxx.xx.147]
mailserver | Jul 23 10:07:49 mymailhost postfix/smtps/smtpd[1541]: disconnect from unknown[xx.xxx.xx.147] ehlo=1 auth=0/1 rset=1 commands=2/3
mailserver | Jul 23 10:07:50 mymailhost postfix/smtps/smtpd[1512]: lost connection after AUTH from unknown[xx.xxx.xx.94]
mailserver | Jul 23 10:07:50 mymailhost postfix/smtps/smtpd[1512]: disconnect from unknown[xx.xxx.xx.94] ehlo=1 auth=0/1 rset=1 commands=2/3
mailserver | Jul 23 10:07:57 mymailhost dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xx.xx, lip=xxx.xx.x.x, TLS: read(size=719) failed: Connection reset by peer, session=<zF3eDyABYMl6sFhV>
mailserver | Jul 23 10:07:58 mymailhost postfix/smtps/smtpd[1507]: connect from unknown[xxx.xx.xx.xxx]
```
Appreciate your help.
Thanks,
V.
|
Beta Was this translation helpful? Give feedback.
-
You can use Postfix and Dovecot should be using internal copies of provided certs at this location: But for LetsEncrypt / CertBot, these presently have no internal copy and live at the path shown here: docker-mailserver/target/scripts/helpers/ssl.sh Lines 191 to 196 in a0fde8b You can use Looking at our change detection code, we monitor custom cert ENV paths (trigger copy to internal location), and docker-mailserver/target/scripts/check-for-changes.sh Lines 147 to 160 in a0fde8b For LetsEncrypt since no extra processing is needed, we just watch these locations: docker-mailserver/target/scripts/helpers/change-detection.sh Lines 55 to 63 in a0fde8b When any of those changes are detected, they will docker-mailserver/target/scripts/check-for-changes.sh Lines 56 to 57 in a0fde8b So technically that should all be working correctly for you. In the container shell, you could type |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
When I update my ssl certificate using the following command, I get the message that the certificate is not yet due for renewal.
"You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry."
But docker-mailserver picks up the older ssl certificate, and I get an error that the certificate has expired. I am unable to poll the imap server because of this. Also https://www.sslchecker.com/sslchecker shows:
I will greatly appreciate if somebody could help me resolve this problem. My mail server has suddenly become unusable because of this.
Beta Was this translation helpful? Give feedback.
All reactions