Add ability to map Certificates through Volume
Issue #79
open
Hi,
would be really nice if we can map the certificates paths with Volumes ( files directly, if possible ).
Something like this:
docker run \
-p 25:25 \
-p 80:80 \
-p 443:443 \
-p 110:110 \
-p 143:143 \
-p 465:465 \
-p 587:587 \
-p 993:993 \
-p 995:995 \
-v /etc/localtime:/etc/localtime:ro \
-v /your-data-dir/data:/data \
-v /path/to/cert.key:/opt/www/certs/cert.key:ro \
-v /path/to/cert.pem:/opt/www/certs/cert.pem:ro \
-t analogic/poste.io
This would provide really big flexibility if you have already an external SSL provider or daemon running or source provider, where you can just replace the files on the host, and reboot the docker.
This would make really a big difference!
Thank you in advance, Julian
Comments (17)
-
-
Account Deleted reporter
Thank you very much! I didn't notice it, sorry. I'll try then that asap :)
Ok I tested by hardlinking server.crt and server.key ( since symlinks within Docker were not resolving ) but when I restart the Docker I get this:
* https web server configuration * initalizing host defaults * initalizing settings for domains Warming up the cache for the prod environment with debug false * initalizing certificate Generating RSA private key, 2048 bit long modulus ............................+++ ...+++ e is 65537 (0x10001) Generating RSA private key, 1024 bit long modulus .....................................................++++++ .....................................++++++ e is 65537 (0x10001) Signature ok subject=/C=XY/ST=unknown/L=unknown/O=QSMTPD/OU=Server/CN=3f3521ebcf32/emailAddress=postmaster@3f3521ebcf32 Getting CA Private Key Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .................................................+...........+.......................................................................................+...................................................................................................................................................................+................+.........................................................+................................................................................................................................................+.........................................................................+............................................................................................+...................................................................+...........................................................................................................................................................................................................................................................................+..........................................................................................................................+...................+...........................................................................................+..................................................................................+.................................................................................+........................................................................................................+....................................................................+..........................................................................+.................................................+............................................................................................................................................................................+.+..................................+.................................................................................+..................................................................................................................+......................................+.........................+.+..................+............................................................................................................................................................+...+.................................................................+............................................................................................................................................................................+..+............+....................................................................................................+.................+................................+...............................................+...........................................................+.....................+.....+............+.....................................................................................................................................................................................................................................................................................................................................................+...................................................+...........................+.......................+.............................................................................................+..............+................................................................................................................................................................................................................................................................................................+.................................+............................................................................................................+..................................................................+...........................................................................................................................................................+................................................................................................................+....................................................................+.............+.....................................................................................................................................+.............+.+.....................................................+...........+....................................................................................................................................+.........................................................+...................................................................................................................................................................................................................+.......................................................................................................+..........................................................................................................+........................................+.........................................+......................+.................................................................................................................+................................++*++* mv: cannot move 'ssl' to 'config/ssl': File exists mv: '/opt/qpsmtpd/config/ssl/qpsmtpd-server.key' and '/etc/ssl/server.key' are the same file mv: '/opt/qpsmtpd/config/ssl/qpsmtpd-server.crt' and '/etc/ssl/server.crt' are the same file mv: '/opt/qpsmtpd/config/ssl/qpsmtpd-ca.crt' and '/etc/ssl/ca.crt' are the same file Generating DSA parameters, 4096 bit long prime ..+.........+.....+...............+..+..+.........................+..............+.......+..+++++++++++++++++++++++++++++++++++++++++++++++++++* .+............+......+..........+..........+..........+...........................+........+..+..............+.........+....+..+...........+.+.......+..+...+..................+..+.....+.......+....+...+................+.......+..+...........+..+........+..+......................+................+.........+........+.....+.+..................+...+.+...+......+....+...+.....+..........................+......+..........+....+......+.+.........+.......+..+......+.....+...+...+....+.......+.......+..........+.+....+....+.......+....+....+.......+...+...........+.....+.................+......+..+................................+..............................+......................+.........+.+......+.....................+....+.+..+.....................+...+.......................+.+..................+..+....+...........+.....+.+...+..+..........+..+.......+..................+........+......+....+...+.................+...+....+..........+........+...+....+.+.........................+......+...+....+..+.....+..+......................+...........+.....+..+..........+.+......+....+.........+............+...+......+.+.................+...........+.....................+............+...........+.+........+...+......+.................+..................+...+....+...+......+........+...+....+...+.........+.....................+...+...+.+.+..+..+......+++++++++++++++++++++++++++++++++++++++++++++++++++* ******************************************** Poste.io container should be running now local address is http://172.17.0.12 ********************************************What am I missing here? The option for let's encrypt on the admin panel is disabled. And if I test the connection the SSL cert is totally wrong.
This is another test result that may help to understand what I am talking about:
[002.024] --> STARTTLS [002.145] <-- 220 Go ahead with TLS [002.145] STARTTLS command works on this server [002.406] SSLVersion in use: TLSv1.2 [002.406] Cipher in use: ECDHE-RSA-AES128-SHA256 [002.406] Connection converted to SSL [002.436] Certificate 1 of 3 in chain: subject= /C=XY/ST=unknown/L=unknown/O=QSMTPD/OU=Server/CN=3f3521ebcf32/emailAddress=postmaster@3f3521ebcf32 issuer= /C=XY/ST=unknown/L=unknown/O=QSMTPD/OU=CA/CN=3f3521ebcf32/emailAddress=postmaster@3f3521ebcf32 [002.464] Certificate 2 of 3 in chain: subject= /C=XY/ST=unknown/L=unknown/O=QSMTPD/OU=Server/CN=3f3521ebcf32/emailAddress=postmaster@3f3521ebcf32 issuer= /C=XY/ST=unknown/L=unknown/O=QSMTPD/OU=CA/CN=3f3521ebcf32/emailAddress=postmaster@3f3521ebcf32 [002.488] Certificate 3 of 3 in chain: subject= /C=XY/ST=unknown/L=unknown/O=QSMTPD/OU=Server/CN=3f3521ebcf32/emailAddress=postmaster@3f3521ebcf32 issuer= /C=XY/ST=unknown/L=unknown/O=QSMTPD/OU=CA/CN=3f3521ebcf32/emailAddress=postmaster@3f3521ebcf32 [002.489] Cert NOT VALIDATED: unable to get local issuer certificate [002.489] this may help: What Is An Intermediate Certificate [002.489] So email is encrypted but the domain is not verified [002.489] Cert Hostname DOES NOT VERIFY (mail.julianxhokaxhiu.com != 3f3521ebcf32) [002.490] So email is encrypted but the host is not verified [002.490] ~~> EHLO checktls.comOf course the certificate is the same used on http://mail.julianxhokaxhiu.com ( identical .crt and .key ), but i cannot understand why the SMTP server for example is using the wrong one. Funny fact: If I
docker execinside poste.io docker and Icatthe files, the content is RIGHT but the SMTP server is providing a wrong crt :\ -
you only mention linking two files... there are three files you have to copy or link...
ca.crt is your cert chain server.crt is your domain cert server.key is the server.crt key
my guess is you didnt copy your chain over thats why the cert chain is screwed up...
-
Account Deleted reporter
Dear @tjferre I tested your method and I saw that the
ca.crteven after is generated from you, is anyway IDENTICAL to the intermediate certificate inside theserver.crtfile ( which is having already an intermediate cert inside ).Because of this now I cannot understand why the chain is anyway broken. Would be awesome to understand it...
-
Account Deleted reporter
Are you still working on this project?
-
repo owner
There is problem with initial ssl settings - last couple weeks we were refactoring internals. I will check this bug in near future but its low prio...
-
Account Deleted reporter
Hi there, have you had any chance to check this?
Thanks in advance, Julian
-
repo owner
- changed status to closed
Don't use volume, use /data/ssl folder. I've tested it right now with hardlinks and it works ok... Please reopen and paste some logs if it is still happening...
-
Account Deleted reporter
Although I tested the method and now it works, Is it possible to have a detailed step-after-step instruction list written somewhere? Would be highly appreciated.
Best regards, Julian
-
Account Deleted reporter
- changed status to open
-
Account Deleted reporter
Bump?
-
Hi, I'm trying to figure out how to do this for the first time.
I have a custom Let's Encrypt setup that handles certificate generation.
- I want to use the
-vflag (orvolumes:key indocker-compose.yml) to map the generated certificates into the poste container - I want to make sure that the poste container doesn't attempt to generate its own certificate via its built-in LE
How to do this? It's not clear from this issue, and I don't know what this means:
Don't use volume, use /data/ssl folder.
What do I do? Do you need to set
HTTPS=OFF? (I'm assuming you do).But then how do you link in the certificates into the container?
volumes: - ./path/to/fullchain.pem:/data/ssl/ ... ? - ./path/to/privkey.pem:/data/ssl/ ... ?Or is this impossible?
- I want to use the
-
To be clearer, here is what my
volumes:currently looks like:volumes: - /etc/localtime:/etc/localtime:ro - ./vol/poste:/data:ZWhat should I do to pass in the certificate?
Is it possible to have a volume-within-a-volume?
volumes: - /etc/localtime:/etc/localtime:ro - ./vol/poste:/data:Z - ./vol/letsencrypt/live/mail.mydomain.com:/data/ssl:ro # like this ?Or do I need to manually copy the files somewhere...?
-
repo owner
there is /data/ssl/README.md:
This directory is supposed to have 3 keys which are copied to various places to mailserver. - ca.crt Certification authority public keys (or "intermediate certificate"). There is "-----BEGIN CERTIFICATE-----" once or more times. - server.crt Your public key generated by your CA. It should have one "-----BEGIN CERTIFICATE-----" in it - server.key Your private key, it should have "-----BEGIN RSA PRIVATE KEY-----" in it -
Thank you! I'll give it a try. In case it helps someone else, here's how I plan to do it:
I plan on making two bind mounts, one for the Let's Encrypt folder containing the certificates, and in the
/data/ssldirectory I will make symlinks to that first bind mount:volumes: - /etc/localtime:/etc/localtime:ro - ./vol/secrets/${ENV}/letsencrypt/archive/${POSTE_HOSTNAME}:/letsencrypt:ro - ./vol/poste:/data:Z -
@analogic How many domains does Poste need HTTPS certs for?
Is it one-per-virtual-domain? Or is it just the
mail.example.comdomain? -
Nevermind, answered my own question: poste seems to only need one TLS cert, and that's the one for
mail.example.com, regardless of how many virtual domains you have.Also, to simplify my install, I decided, for now, to let poste handle the certificate.
EDIT: because of a bug, I now actually do end up generating the cert in a different container, albeit using a different method than what I described above.
- Log in to comment
Julian, my work around to this issue is the following. Within the /data dir there is an ssl folder.. and you can modify them from the host... or if you had your ssl files somewhere else you could symlink them within the data/ssl folder on your host...