Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

App issue: Poste.io TLS/SSL Cert #1113

Open
amirsaam opened this issue Jun 11, 2024 · 5 comments
Open

App issue: Poste.io TLS/SSL Cert #1113

amirsaam opened this issue Jun 11, 2024 · 5 comments

Comments

@amirsaam
Copy link
Contributor

amirsaam commented Jun 11, 2024
edited
Loading

Hello,

While I did read #231 (suggestion comments 1 and 2) and followed them, there is some issues.

  1. If I use CapRover built-in SSL/TLS certbot (HTTPS = OFF) and map those certs to Poste.io certs, panels would have certs but because Poste.io is a mailserver and I need to connect multiple domains to it some/most apps would decline this cert with this error:
"errors": [{
    "message": "Failed to send email. Reason: Hostname/IP does not match certificate's altnames: Host: cnameToMailserverHostname. is not in the cert's altnames: DNS:caproverMailAppDomain"
}]

So I tried to issue the cert while this option is used and did use Poste.io Let's Encrypt and I got this error:

[2024-06-11T16:23:44.999805+03:30] LEScript.INFO: ACME Client: analogic-lescript/0.3.0
[2024-06-11T16:23:45.000184+03:30] LEScript.INFO: Getting list of URLs for API
[2024-06-11T16:23:45.772972+03:30] LEScript.INFO: Requesting new nonce for client communication
[2024-06-11T16:23:46.713963+03:30] LEScript.INFO: Account already registered. Continuing.
[2024-06-11T16:23:46.714197+03:30] LEScript.INFO: Sending registration to letsencrypt server
[2024-06-11T16:23:46.754782+03:30] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-acct
[2024-06-11T16:23:47.567543+03:30] LEScript.INFO: Account: https://acme-v02.api.letsencrypt.org/acme/acct/1775326667
[2024-06-11T16:23:47.567803+03:30] LEScript.INFO: Starting certificate generation process for domains
[2024-06-11T16:23:47.568423+03:30] LEScript.INFO: Requesting challenge for mailServerHostname, altDomain1, altDomain2, altDomain3, altDomain4
[2024-06-11T16:23:47.602837+03:30] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-order
[2024-06-11T16:23:48.498814+03:30] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/362511700727
[2024-06-11T16:23:49.296632+03:30] LEScript.INFO: Got challenge token for altDomain3
[2024-06-11T16:23:49.297144+03:30] LEScript.INFO: Token for altDomain3 saved at /opt/www//.well-known/acme-challenge/hTGWY-8X0vw50sa36wwX-EWQdIRhiSB_mCj0S3xxVbw and should be available at http://altDomain3/.well-known/acme-challenge/hTGWY-8X0vw50sa36wwX-EWQdIRhiSB_mCj0S3xxVbw
[2024-06-11T16:23:49.297200+03:30] LEScript.INFO: Sending request to challenge
[2024-06-11T16:23:49.320815+03:30] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/362511700727/t4uCkA
[2024-06-11T16:23:50.132799+03:30] LEScript.INFO: Verification pending, sleeping 1s
[2024-06-11T16:23:51.166831+03:30] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/362511700727/t4uCkA
[2024-06-11T16:23:51.977315+03:30] LEScript.ERROR: 400 {   "type": "urn:ietf:params:acme:error:malformed",   "detail": "Unable to update challenge :: authorization must be pending",   "status": 400 }
[2024-06-11T16:23:51.977527+03:30] LEScript.ERROR: #0 /opt/admin/vendor/analogic/lescript/Lescript.php(580): Analogic\ACME\Client->curl()
[2024-06-11T16:23:51.977616+03:30] LEScript.ERROR: #1 /opt/admin/vendor/analogic/lescript/Lescript.php(448): Analogic\ACME\Client->post()
[2024-06-11T16:23:51.977677+03:30] LEScript.ERROR: #2 /opt/admin/vendor/analogic/lescript/Lescript.php(164): Analogic\ACME\Lescript->signedRequest()
[2024-06-11T16:23:51.977728+03:30] LEScript.ERROR: #3 /opt/admin/src/Base/Handler/LeHandler.php(62): Analogic\ACME\Lescript->signDomains()
[2024-06-11T16:23:51.977814+03:30] LEScript.ERROR: #4 /opt/admin/src/Base/Controller/LeController.php(71): App\Base\Handler\LeHandler->renew()
[2024-06-11T16:23:51.977892+03:30] LEScript.ERROR: #5 /opt/admin/vendor/symfony/http-kernel/HttpKernel.php(163): App\Base\Controller\LeController->issueAction()
[2024-06-11T16:23:51.977956+03:30] LEScript.ERROR: #6 /opt/admin/vendor/symfony/http-kernel/HttpKernel.php(75): Symfony\Component\HttpKernel\HttpKernel->handleRaw()
[2024-06-11T16:23:51.978003+03:30] LEScript.ERROR: #7 /opt/admin/vendor/symfony/http-kernel/Kernel.php(202): Symfony\Component\HttpKernel\HttpKernel->handle()
[2024-06-11T16:23:51.978051+03:30] LEScript.ERROR: #8 /opt/admin/public/index.php(27): Symfony\Component\HttpKernel\Kernel->handle()
[2024-06-11T16:23:51.978132+03:30] LEScript.ERROR: #9 {main}

Note is even if I use CapRover SSL cert and map it because it is for the app name not the hostname of mail server mentioned issue would still be there and I need alt names for other domains and the hostname itself and also I cannot connect the mail server hostname to the app directly I don't know why in this structure:

  • App domain is: appname.caproverRoot.name.domain
  • My hostname is: mail.name.domain
  • When I want to connect this domain to the app I get 1107 : Verification Failed. while I do have DNS record pointing to the IP of the server.
    Also I don't think this is the issue because even Poste.io demo website structure is like this:
  • App address is demo.poste.io
  • Mail hostname is mail.poste.io
  1. If choose to use HTTPS = blank and let Poste.io handle the SSL/TLS certs and remove both
 # Used by Lets Encrypt
 location /.well-known/acme-challenge/ {
     root <%-s.staticWebRoot%>;
 }

(as mentioned in the comment number 1 of the mentioned issue) in the Nginx config of the app, no matter what the app won't run and if I open the domain CapRover/Nginx will show Nothing is here yet page.

Another problem is, the instruction that shows up after installation of Poste.io, looks like only applies to HTTPS = OFF option and no mention about how to handle HTTPS = blank.

I'll appreciate any help,
Regards.
@amirsaam
Copy link
Contributor Author

So, a funny thing.
If I change the domain to the caprover poste.io app name in the tls cert page of poste.io, it can successfully issue the cert for the app domain! but i cannot access it with https, but this doesn't matter because we already could issue the cert for the app domain in caprover panel.
does caprover install apps in network=host environment as said in this instruction by poste.io docs? and also do we show poste.io the correct well-known folder?
Screenshot 1403-03-22 at 23 29 00

@coffseducation
Copy link

If I change the domain to the caprover poste.io app name in the tls cert page of poste.io

Could you elaborate on this please?

@amirsaam
Copy link
Contributor Author

@coffseducation caprover app domain for poste.io, for example: mail.caproverRoot.name.domain

@amirsaam
Copy link
Contributor Author

ok, with more exploration in Poste.io docs I found this in its FAQs:

Q: I want use my port 80 for reverse proxy (Nginx)

A: Poste only needs to use port 80 for Let's Encrypt authentication, you can easily remap the http port with docker to another if you don't want to use LE. Otherwise you should map the /opt/www/.well-known folder on your web server to /.well-known relative path.
Example of a special case where you want to use dockered NGiNX with LE Companion and Poste with LE:

version: '3'

services:
  nginx-proxy:
    image: jwilder/nginx-proxy
    labels:
        com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
    container_name: nginx-proxy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /data/nginx/conf.d:/etc/nginx/conf.d
      - /data/nginx/vhost.d:/etc/nginx/vhost.d
      - /data/nginx/html:/usr/share/nginx/html
      - /data/nginx/certs:/etc/nginx/certs:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro

  nginx-letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: nginx-letsencrypt
    restart: unless-stopped
    volumes:
      - /data/nginx/conf.d:/etc/nginx/conf.d
      - /data/nginx/vhost.d:/etc/nginx/vhost.d
      - /data/nginx/html:/usr/share/nginx/html
      - /data/nginx/certs:/etc/nginx/certs:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - NGINX_DOCKER_GEN_CONTAINER=nginx-proxy
      - NGINX_PROXY_CONTAINER=nginx-proxy

  mailserver:
    image: poste.io/mailserver:dev
    container_name: mailserver
    restart: unless-stopped
    ports:
      - "25:25"
      - "110:110"
      - "143:143"
      - "587:587"
      - "993:993"
      - "995:995"
      - "4190:4190"
    environment:
      - [email protected]
      - LETSENCRYPT_HOST=mail.poste.io
      - VIRTUAL_HOST=mail.poste.io
      - HTTPS=OFF
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /data/nginx/html/.well-known:/opt/www/.well-known
      - /data/mailserver:/data

How do we handle /data/nginx/html/.well-known:/opt/www/.well-known in Poste.io's One-Click App?

@amirsaam
Copy link
Contributor Author

Any suggestion from the original author? @ronaldloyko

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@amirsaam @coffseducation