mailcow-dockerized
mailcow-dockerized copied to clipboard
mailcow
Include Domain Alias in SSL Certificate
Contribution guidelines
- [X] I've read the contribution guidelines and wholeheartedly agree
I've found a bug and checked that ...
- [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
- [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
- [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
- [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.
Description
I just added an Domain-Alias and added the DNS Entries as given in the form which opens by clicking on the light-blue DNS button on the Domain Alias Page. After doing so I restarted my ACME Docker Container to add the subdomains to my SSL-Certificate. I expected the Subdomain autodiscover.alias-domain.com as well as autoconfig.alias-domain.com. I also expected imap.alias-domain.com and smtp.alias-domain.com because of the following line in my mailcow.conf: ADDITIONAL_SAN=imap.*,smtp.*. None of the given Subdomains showed up in the Certificate and the logs only contain the existing non alias domains.
Logs
ACME: Certificates were successfully validated, no changes or renewals required, sleeping for another day.
Steps to reproduce
- add alias domain
- restart ACME-Container
- check certificate and logs
System information
| Question | Answer |
|---|---|
| My operating system | Linux - Debian |
| Is Apparmor, SELinux or similar active? | No |
| Virtualization technlogy (KVM, VMware, Xen, etc - LXC and OpenVZ are not supported | KVM |
| Server/VM specifications (Memory, CPU Cores) | 2 CPU Cores, 8GB of Memory |
Docker Version (docker version) |
20.10.14 |
Docker-Compose Version (docker-compose version) |
1.29.2 |
| Reverse proxy (custom solution) | / |
Output of git diff origin/master, any other changes to the code? If so, please post them:
Nothing except the data/assets/ssl-example/cert.pem and the data/assets/ssl-example/key.pem which always differ
All third-party firewalls and custom iptables rules are unsupported. Please check the Docker docs about how to use Docker with your own ruleset. Nevertheless, iptabels output can help us to help you: iptables -L -vn:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
243K 381M DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
243K 381M DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
197K 365M ACCEPT all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
15103 986K DOCKER all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0
30998 15M ACCEPT all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
14754 966K ACCEPT all -- br-mailcow br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.6 tcp dpt:8983
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.249 tcp dpt:6379
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.8 tcp dpt:3306
6 308 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:587
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:12345
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:4190
3 156 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:465
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:995
36 2064 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:25
52 3097 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:993
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:143
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:110
239 14156 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.10 tcp dpt:443
13 680 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.10 tcp dpt:80
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
30998 15M DOCKER-ISOLATION-STAGE-2 all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
58M 28G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
6285K 3056M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
183M 88G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
ip6tables -L -vn:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
51024 75M DOCKER-ISOLATION-STAGE-1 all * * ::/0 ::/0
39092 74M ACCEPT all * br-mailcow ::/0 ::/0 ctstate RELATED,ESTABLISHED
8922 618K DOCKER all * br-mailcow ::/0 ::/0
3010 454K ACCEPT all br-mailcow !br-mailcow ::/0 ::/0
8912 617K ACCEPT all br-mailcow br-mailcow ::/0 ::/0
0 0 ACCEPT all * docker0 ::/0 ::/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all * docker0 ::/0 ::/0
0 0 ACCEPT all docker0 !docker0 ::/0 ::/0
0 0 ACCEPT all docker0 docker0 ::/0 ::/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:587
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:4190
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:465
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:995
9 720 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:25
1 80 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:993
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:143
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:110
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::d tcp dpt:443
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::d tcp dpt:80
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
3010 454K DOCKER-ISOLATION-STAGE-2 all br-mailcow !br-mailcow ::/0 ::/0
0 0 DOCKER-ISOLATION-STAGE-2 all docker0 !docker0 ::/0 ::/0
13M 18G RETURN all * * ::/0 ::/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * br-mailcow ::/0 ::/0
0 0 DROP all * docker0 ::/0 ::/0
1009K 170M RETURN all * * ::/0 ::/0
iptables -L -vn -t nat:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
683K 36M DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8589 689K MASQUERADE all -- * !br-mailcow 172.22.1.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.22.1.6 172.22.1.6 tcp dpt:8983
0 0 MASQUERADE tcp -- * * 172.22.1.249 172.22.1.249 tcp dpt:6379
0 0 MASQUERADE tcp -- * * 172.22.1.8 172.22.1.8 tcp dpt:3306
0 0 MASQUERADE tcp -- * * 172.22.1.253 172.22.1.253 tcp dpt:587
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:12345
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:4190
0 0 MASQUERADE tcp -- * * 172.22.1.253 172.22.1.253 tcp dpt:465
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:995
0 0 MASQUERADE tcp -- * * 172.22.1.253 172.22.1.253 tcp dpt:25
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:993
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:143
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:110
0 0 MASQUERADE tcp -- * * 172.22.1.10 172.22.1.10 tcp dpt:443
0 0 MASQUERADE tcp -- * * 172.22.1.10 172.22.1.10 tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
112 6720 RETURN all -- br-mailcow * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:18983 to:172.22.1.6:8983
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:7654 to:172.22.1.249:6379
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:13306 to:172.22.1.8:3306
5 256 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 to:172.22.1.253:587
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:19991 to:172.22.1.250:12345
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 to:172.22.1.250:4190
67 3996 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 to:172.22.1.253:465
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 to:172.22.1.250:995
37 2124 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:172.22.1.253:25
52 3097 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 to:172.22.1.250:993
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 to:172.22.1.250:143
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:172.22.1.250:110
241 14276 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.22.1.10:443
13 680 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.22.1.10:80
ip6tables -L -vn -t nat:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4250 344K DOCKER all * * ::/0 ::/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all * * ::/0 !::1 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2403 238K MASQUERADE all * !br-mailcow fd4d:6169:6c63:6f77::/64 ::/0
0 0 MASQUERADE all * !docker0 fd00:dead:beef:c0::/80 ::/0
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:587
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:4190
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:465
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:995
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:25
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:993
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:143
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:110
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:443
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all br-mailcow * ::/0 ::/0
0 0 RETURN all docker0 * ::/0 ::/0
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:587 to:[fd4d:6169:6c63:6f77::e]:587
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::f]:4190
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:465 to:[fd4d:6169:6c63:6f77::e]:465
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:995 to:[fd4d:6169:6c63:6f77::f]:995
9 720 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:25 to:[fd4d:6169:6c63:6f77::e]:25
1 80 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:993 to:[fd4d:6169:6c63:6f77::f]:993
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:143 to:[fd4d:6169:6c63:6f77::f]:143
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:110 to:[fd4d:6169:6c63:6f77::f]:110
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:443 to:[fd4d:6169:6c63:6f77::d]:443
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:80 to:[fd4d:6169:6c63:6f77::d]:80
DNS problems? Please run docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254 (set the IP accordingly, if you changed the internal mailcow network) and post the output:
151.101.1.69
151.101.129.69
151.101.193.69
151.101.65.69
Yes, I executed docker-compose up -d with the following response:
mailcow_redis-mailcow_1 is up-to-date
mailcow_solr-mailcow_1 is up-to-date
mailcow_clamd-mailcow_1 is up-to-date
mailcow_olefy-mailcow_1 is up-to-date
mailcow_dockerapi-mailcow_1 is up-to-date
mailcow_unbound-mailcow_1 is up-to-date
mailcow_memcached-mailcow_1 is up-to-date
mailcow_sogo-mailcow_1 is up-to-date
mailcow_watchdog-mailcow_1 is up-to-date
mailcow_php-fpm-mailcow_1 is up-to-date
mailcow_mysql-mailcow_1 is up-to-date
mailcow_nginx-mailcow_1 is up-to-date
mailcow_postfix-mailcow_1 is up-to-date
mailcow_dovecot-mailcow_1 is up-to-date
mailcow_acme-mailcow_1 is up-to-date
mailcow_netfilter-mailcow_1 is up-to-date
mailcow_rspamd-mailcow_1 is up-to-date
mailcow_ofelia-mailcow_1 is up-to-date
By restarting mailcow with the commands docker-compose down and docker-compose up -d there are no changes to the certificate.
I just noticed that there are some new errors in the acme log which I did not acknowledge earlier:
acme-mailcow_1 | Sat Apr 23 21:41:23 CEST 2022 - Initializing, please wait...
acme-mailcow_1 | unable to load certificate
acme-mailcow_1 | 140653291170632:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
acme-mailcow_1 | unable to load certificate
acme-mailcow_1 | 140340223384392:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
acme-mailcow_1 | Sat Apr 23 21:41:45 CEST 2022 - Using existing domain rsa key /var/lib/acme/acme/key.pem
Ok, try this please:
cd /opt/mailcow-dockerized
touch data/assets/ssl/force_renew
docker-compose restart acme-mailcow
# Now check the logs for a renewal
docker-compose logs --tail=200 -f acme-mailcow
The error which I posted above is gone but the subdomains of my alias domain still does not show up anywhere in my logs. Do you know if this feature is even included in the code yet? By the way, I am very grateful for your quick replies!
Yeah wait a second... you are talking about alias domains arent you?
So those domains you can get mails to?
This won´t work.
As these Domains aren´t meant to be sending domains which clients can use in a mail client etc.
You can add this Domain normaly then these Certificates (autoconfig, autodiscover as well as the other two you mentioned) will work.
Ok, that answers the question then.
Even if it is not actually intended, it is possible to send e-mails from alias domains. I just tested this earlier. Would it be possible to include this as a feature request, i.e. that sending from alias domains is fully supported and that these are then also included in the certificate?
If this feature request is not accepted, at least the popup that appears after clicking on the blue DNS button should be changed so that the autoconfig / autodiscover domains are not recommended there.
This would be required also to make MTS-STS working correctly for alias domains. In this case this is not about sending mails but receiving. The sending mailserver wants to lookup mta-sts.domain.com. If domain.com is an alias domain MTA-STS will fail even if the policy is placed correctly because the certificate is not obtained for the alias domain.
I also had the same expectations as Lars and Felix. Any updates in this topic? Makes a lot of sense
