mailcow-dockerized
mailcow-dockerized copied to clipboard
mailcow
Please add full chain SSL certificate for LetsEncrypt
Contribution guidelines
- [X] I've read the contribution guidelines and wholeheartedly agree
I've found a bug and checked that ...
- [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
- [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
- [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
- [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.
Description
Letsencrypt changed they way they sign certificates. More info: https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html. Since that change, some systems, e.g. Mail on iPhone refuse Letsencrypt certificates.
I have a PR which fixes the problem, and will attach it to this issue.
Logs
The problem appears on the client side before any logs can be generated.
Steps to reproduce
- Install a Letsencrypt certificate
- Connect to IMAP/website with iphone
- Note invalid ssl certificate warning
System information
| Question | Answer |
|---|---|
| My operating system | Ubuntu 20.04 |
| Is Apparmor, SELinux or similar active? | No |
| Virtualization technology (KVM, VMware, Xen, etc - LXC and OpenVZ are not supported | It's a VM running Docker |
| Server/VM specifications (Memory, CPU Cores) | 4 GB memory, 2 VCPU |
Docker version (docker version) |
Docker version 20.10.12, build e91ed57 |
docker-compose version (docker-compose version) |
docker-compose version 1.29.2, build 5becea4c |
mailcow version (git describe --tags `git rev-list --tags --max-count=1` ) |
2022-05d |
| Reverse proxy (custom solution) | not sure what this is |
Output of git diff origin/master, any other changes to the code? If so, please post them:
No changes
All third-party firewalls and custom iptables rules are unsupported. Please check the Docker docs about how to use Docker with your own ruleset. Nevertheless, iptabels output can help us to help you: iptables -L -vn:
Chain INPUT (policy ACCEPT 5422 packets, 1536K bytes)
pkts bytes target prot opt in out source destination
5422 1536K MAILCOW all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18675 6105K MAILCOW all -- * * 0.0.0.0/0 0.0.0.0/0
18983 6143K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
18983 6143K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
11992 3339K ACCEPT all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
770 53308 DOCKER all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0
6221 2751K ACCEPT all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
693 48301 ACCEPT all -- br-mailcow br-mailcow 0.0.0.0/0 0.0.0.0/0
694 256K ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
798 94072 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 5241 packets, 1584K bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.249 tcp dpt:6379
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.5 tcp dpt:8983
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.9 tcp dpt:3306
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:587
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:12345
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:4190
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:465
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:995
2 120 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:25
64 4134 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:993
11 753 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:143
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:110
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.10 tcp dpt:443
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.10 tcp dpt:80
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
6221 2751K DOCKER-ISOLATION-STAGE-2 all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
798 94072 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
31M 32G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
5781K 885M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
31M 32G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain MAILCOW (2 references)
pkts bytes target prot opt in out source destination
ip6tables -L -vn:
Chain INPUT (policy ACCEPT 126 packets, 7384 bytes)
pkts bytes target prot opt in out source destination
130 7608 MAILCOW all * * ::/0 ::/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5917 2568K DOCKER-USER all * * ::/0 ::/0
6010 2575K MAILCOW all * * ::/0 ::/0
11M 26G DOCKER-ISOLATION-STAGE-1 all * * ::/0 ::/0
11M 26G DOCKER all * br-mailcow ::/0 ::/0
9576K 26G ACCEPT all * br-mailcow ::/0 ::/0 ctstate RELATED,ESTABLISHED
471K 45M ACCEPT all br-mailcow !br-mailcow ::/0 ::/0
1404K 99M ACCEPT all br-mailcow br-mailcow ::/0 ::/0
Chain OUTPUT (policy ACCEPT 32 packets, 2526 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:587
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:25
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::e tcp dpt:465
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:110
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:143
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:4190
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:993
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::f tcp dpt:995
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
617 57896 DOCKER-ISOLATION-STAGE-2 all br-mailcow !br-mailcow ::/0 ::/0
5917 2568K RETURN all * * ::/0 ::/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * br-mailcow ::/0 ::/0
617 57896 RETURN all * * ::/0 ::/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
11M 26G RETURN all * * ::/0 ::/0
Chain MAILCOW (2 references)
pkts bytes target prot opt in out source destination
iptables -L -vn -t nat:
Chain PREROUTING (policy ACCEPT 1879 packets, 145K bytes)
pkts bytes target prot opt in out source destination
84628 5623K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 147 packets, 16928 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 93 packets, 41469 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 860 packets, 94609 bytes)
pkts bytes target prot opt in out source destination
1047 79841 MASQUERADE all -- * !br-mailcow 172.22.1.0/24 0.0.0.0/0
145 9212 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.22.1.249 172.22.1.249 tcp dpt:6379
0 0 MASQUERADE tcp -- * * 172.22.1.5 172.22.1.5 tcp dpt:8983
0 0 MASQUERADE tcp -- * * 172.22.1.9 172.22.1.9 tcp dpt:3306
0 0 MASQUERADE tcp -- * * 172.22.1.253 172.22.1.253 tcp dpt:587
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:12345
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:4190
0 0 MASQUERADE tcp -- * * 172.22.1.253 172.22.1.253 tcp dpt:465
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:995
0 0 MASQUERADE tcp -- * * 172.22.1.253 172.22.1.253 tcp dpt:25
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:993
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:143
0 0 MASQUERADE tcp -- * * 172.22.1.250 172.22.1.250 tcp dpt:110
0 0 MASQUERADE tcp -- * * 172.22.1.10 172.22.1.10 tcp dpt:443
0 0 MASQUERADE tcp -- * * 172.22.1.10 172.22.1.10 tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- br-mailcow * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:7654 to:172.22.1.249:6379
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:18983 to:172.22.1.5:8983
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:13306 to:172.22.1.9:3306
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 to:172.22.1.253:587
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 127.0.0.1 tcp dpt:19991 to:172.22.1.250:12345
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 to:172.22.1.250:4190
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 to:172.22.1.253:465
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 to:172.22.1.250:995
2 120 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:172.22.1.253:25
64 4134 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 to:172.22.1.250:993
11 753 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 to:172.22.1.250:143
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:172.22.1.250:110
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.22.1.10:443
0 0 DNAT tcp -- !br-mailcow * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.22.1.10:80
ip6tables -L -vn -t nat:
Chain PREROUTING (policy ACCEPT 1629 packets, 295K bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all * * ::/0 ::/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 9 packets, 810 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all * * ::/0 !::1 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 211 packets, 16970 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all * br-mailcow ::/0 ::/0 ADDRTYPE match dst-type LOCAL
455K 44M MASQUERADE all * !br-mailcow fd4d:6169:6c63:6f77::/64 ::/0
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:110
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:143
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:4190
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:110
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:143
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:4190
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:993
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::f fd4d:6169:6c63:6f77::f tcp dpt:995
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:993
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:995
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:25
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:465
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::e fd4d:6169:6c63:6f77::e tcp dpt:587
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:25
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:465
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:587
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::8 fd4d:6169:6c63:6f77::8 tcp dpt:25
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::8 fd4d:6169:6c63:6f77::8 tcp dpt:465
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::8 fd4d:6169:6c63:6f77::8 tcp dpt:587
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:110
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:143
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:4190
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:993
0 0 MASQUERADE tcp * * fd4d:6169:6c63:6f77::d fd4d:6169:6c63:6f77::d tcp dpt:995
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all br-mailcow * ::/0 ::/0
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:587 to:[fd4d:6169:6c63:6f77::e]:587
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:25 to:[fd4d:6169:6c63:6f77::e]:25
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:465 to:[fd4d:6169:6c63:6f77::e]:465
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:110 to:[fd4d:6169:6c63:6f77::f]:110
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:143 to:[fd4d:6169:6c63:6f77::f]:143
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::f]:4190
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:993 to:[fd4d:6169:6c63:6f77::f]:993
0 0 DNAT tcp !br-mailcow * ::/0 ::/0 tcp dpt:995 to:[fd4d:6169:6c63:6f77::f]:995
DNS problems? Please run docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254 (set the IP accordingly, if you changed the internal mailcow network) and post the output:
151.101.65.69
151.101.129.69
151.101.1.69
151.101.193.69
Hi, there is no fullchain.pem in mailcow as cert.pem is the fully chained certificate.
Please do not push untested to master.
Hi, there is no fullchain.pem in mailcow as cert.pem is the fully chained certificate.
There is a cert.pem and a fullchain.pem. I'm assuming they were generated by certbot, and then something in mailcow chooses one to symlink.
cd data/assets/ssl
ls -l key.pem cert.pem
lrwxrwxrwx 1 root root 32 May 29 06:25 cert.pem -> live/my.domain.com/cert.pem
lrwxrwxrwx 1 root root 35 May 29 06:25 key.pem -> live/my.domain.com/privkey.pem
cd live/my.domain.com
ls -l
total 4
lrwxrwxrwx 1 root root 42 May 29 06:25 cert.pem -> ../../archive/my.domain.com/cert5.pem
lrwxrwxrwx 1 root root 43 May 29 06:25 chain.pem -> ../../archive/my.domain.com/chain5.pem
lrwxrwxrwx 1 root root 47 May 29 06:25 fullchain.pem -> ../../archive/my.domain.com/fullchain5.pem
lrwxrwxrwx 1 root root 45 May 29 06:25 privkey.pem -> ../../archive/my.domain.com/privkey5.pem
-rw-r--r-- 1 root root 692 Sep 29 2021 README
diff cert.pem fullchain.pem | wc -l
62
README says about cert.pem: will break many server configurations, and should not be used
README says about fullchain.pem: the certificate file used in most server software.
Please do not push untested to master.
Your contribution guidelines are silent on this. Tell me which branch.
No we are using acme-tiny https://github.com/mailcow/mailcow-dockerized/blob/master/data/Dockerfiles/acme/Dockerfile#L19
Hmm... I'm not sure how all those things got in there. I don't think I did that. Do you all see the same that I am seeing? That is: cert.pem, fullchain.pem, and the README saying to use fullchain.pem?
One possibility instead of changing the code via PR #4615 might be to change the cert.pem symlink in data/assets/ssl to point to fullchain.pem. However I don't know how that file got there either. Is it generated by code somewhere within the Mailcow docker-compose cluster?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
We include it of course. It wouldn't work if we didn't.
You are only checking the filename, aren't you? Check the content.
We include it of course. It wouldn't work if we didn't.
You are only checking the filename, aren't you? Check the content.
That's exactly my point. It was a symlink for me, and it didn't work. Then I manually re-linked to fullchain.pem and it did work.
Is this not reproducible by/for anyone else?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.