Comments (16)
Ready, I only had to restart the front container.
from mailu.
Hi @kaiyou and everybody. Sorry if it's not the place to post this but my cert just expire today, whats is the best procedure to renew it?
Thanks in advance.
from mailu.
After some thinking, there are two main options for automating Letsencrypt certificate generation:
- either create a new Docker image and an entry to Docker-Compose;
- or insert something in the admin container.
The first option is more Docker-friendly: certbot is a long running process and would fit in a container. But it would also require some mechanism to restart other containers properly, thus access to the Docker socket.
Also, it will become necessary at some point that users can restart containers and regenerate certificates through the admin interface. Although it is not natural to fork a long-time running process in a container, it still sounds like the best solution here.
from mailu.
This library sounds nice: https://github.com/agronholm/apscheduler
from mailu.
Another option would be to move all the tasks to a separate container running Celery (and maybe Beats). Loaded handlers would include every Freeposte related task and the container would be responsible for scheduling things.
The existing redis
container would be used as a broker and the scheduler would handle all non-synchronous tasks. The sqlite database would still be shared for updates.
With such a scheme, all Docker-related operations would be moved as tasks. Remaining question: how should we share models between both containers?
from mailu.
For Milestone 1.4, we will go with the in-app scheduler on the admin interface side. The solution is quick and dirty but will do while awaiting a more structured architecture for the whole project.
from mailu.
Certificate generation using certbot on Python3 seems broken for now, just pushed this, awaiting review: certbot/certbot#3757
from mailu.
Just pushed a first version of the letsencrypt certification generation, feel free to test and provide feedback once the builds are available.
from mailu.
Still an issue: when no certificate is available, nginx will not start and Certbot will fail. Some work is probably required on the Nginx configuration.
from mailu.
@kaiyou how could I test this? thanks
from mailu.
If you already have a certificate setup and you set the ENABLE_CERTBOT
variableENABLE_CERTBOTvariable in your env file, it should work fine on
latest``. Remaining problem is bootstrapping: nginx won't start if no certificate is available, so use a snakeoil certificate for now.
from mailu.
This still has some problems.
-
Requires HTTP port to be open in order to update cert. Maybe have an option for custom ports if not wanting to use the HTTP with the reverse proxy? I do not want the HTTP server to be public, but I am fine with letting Mailu run certbot for me on this server.
-
Was able to restart mailu/admin and get generated certs, but the certs weren't being moved / linked into place. Looks like you may be trying to delete files before they exist? Copying the certs into place then restarting containers made the admin interface function normally (although it looks like nginx is working with default config now, another issue - EDIT: fixed by docker-compose down, docker-compose up -d).
-
The cert symlinks are absolute, not relative, so they fail to resolve on the host filesystem.
[2017-02-03 05:09:48 +0000] [17] [INFO] Starting gunicorn 19.6.0
[2017-02-03 05:09:48 +0000] [17] [INFO] Listening at: http://0.0.0.0:80 (17)
[2017-02-03 05:09:48 +0000] [17] [INFO] Using worker: sync
[2017-02-03 05:09:48 +0000] [20] [INFO] Booting worker with pid: 20
[2017-02-03 05:09:48 +0000] [21] [INFO] Booting worker with pid: 21
[2017-02-03 05:09:48 +0000] [22] [INFO] Booting worker with pid: 22
[2017-02-03 05:09:48 +0000] [23] [INFO] Booting worker with pid: 23
Job "generate_cert (trigger: date[2017-02-03 05:09:49 UTC], next run at: 2017-02-03 05:09:49 UTC)" raised an exception
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/apscheduler/executors/base.py", line 125, in run_job
retval = job.func(*job.args, **job.kwargs)
File "/app/mailu/certbot.py", line 67, in generate_cert
if certbot_install(hostname):
File "/app/mailu/certbot.py", line 35, in certbot_install
os.unlink(cert)
FileNotFoundError: [Errno 2] No such file or directory: '/certs/cert.pem'
Job "generate_cert (trigger: date[2017-02-03 05:09:49 UTC], next run at: 2017-02-03 05:09:49 UTC)" raised an exception
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/apscheduler/executors/base.py", line 125, in run_job
retval = job.func(*job.args, **job.kwargs)
File "/app/mailu/certbot.py", line 67, in generate_cert
if certbot_install(hostname):
File "/app/mailu/certbot.py", line 35, in certbot_install
os.unlink(cert)
FileNotFoundError: [Errno 2] No such file or directory: '/certs/cert.pem'
Job "generate_cert (trigger: date[2017-02-03 05:09:49 UTC], next run at: 2017-02-03 05:09:49 UTC)" raised an exception
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/apscheduler/executors/base.py", line 125, in run_job
retval = job.func(*job.args, **job.kwargs)
File "/app/mailu/certbot.py", line 67, in generate_cert
if certbot_install(hostname):
File "/app/mailu/certbot.py", line 35, in certbot_install
os.unlink(cert)
FileNotFoundError: [Errno 2] No such file or directory: '/certs/cert.pem'
Job "generate_cert (trigger: date[2017-02-03 05:09:49 UTC], next run at: 2017-02-03 05:09:49 UTC)" raised an exception
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/apscheduler/executors/base.py", line 125, in run_job
retval = job.func(*job.args, **job.kwargs)
File "/app/mailu/certbot.py", line 67, in generate_cert
if certbot_install(hostname):
File "/app/mailu/certbot.py", line 35, in certbot_install
os.unlink(cert)
FileNotFoundError: [Errno 2] No such file or directory: '/certs/cert.pem'
INFO [alembic.runtime.migration] Context impl SQLiteImpl.
INFO [alembic.runtime.migration] Will assume non-transactional DDL.
from mailu.
- I will simply try and use a temporary self-signed certificate with only letsencrypt enabled in stead of HTTP
- You are right about the nginx config that's a dummy mistake on my side
- Is this really an issue? I will try and switch to relative symlinks however
from mailu.
-
Then that also requires HTTPS to be open. In my case that will work, but what about the case where there is no public web interface? Perhaps an option for http or https (for nginx reverse proxy), or other port (certbot direct) in .env would be best.
-
The issue with the cert symlinks is minor, but considering these files are fixed in position and the targets are in directories beneath them, they should be relative. It's really an issue if other services (such as external webserver) use Mailu certbot to update certs and they want to use these symlinks. Honestly though I think most would implement this the other way around.
from mailu.
-
I see your point, I will create a separate issue for this as one could also wish to use TLS-SNI on the SMTP port for instance. Some thinking required, maybe in 2.0 we'll have the proper flexibility for this.
-
I will fix this one before closing, and finally tagging 1.4 :)
from mailu.
hey is the auto renew cert issue solved by now, just a newbie
from mailu.
Related Issues (20)
- Placeholders in autoconfig file are not replaced HOT 1
- ooo is broken when proxy protocol is in use
- Is relay supported by sending domain?
- imap container doesn't support IPv6 clients over proxy-protocol HOT 2
- ISRG_X1 not included in fullchain.pem (--> DANE validation failed) HOT 5
- 收国外邮件延迟很大
- front container crashing after upgrading to 2.0.39 HOT 3
- Missing cert or key file, disabling TLS
- Files infected with viruses - Warning HOT 1
- how to add one custom mail header,thanks
- SPF is not authorized and invalid rDNS/PTR Record HOT 3
- ERR_TO_MANY_REDIRECTS on /webmail HOT 1
- Autoreply with HTML code HOT 1
- ERROR: cannot start service front: driver failed programming external connectivity on endpoint mailu_front_1 HOT 2
- Use port 465 post email HOT 1
- The postgresql database cannot be configured for roundcube HOT 1
- ERROR: cannot start service front: driver failed programming external connectivity on endpoint mailu_front_1
- [BUG]: Host is already in use by another container HOT 2
- Internal Server Error - In accounts that were imported from another server
- After disable email account, it still receive emails during the disable period HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mailu.