Unable to install Renewed Own SSL

Ggnulab · 11 Feb

Hi,

I have followed the instruction on this page Install Own SSL

docs.mailcow.email

Advanced SSL - mailcow: dockerized documentation

None

but when I access mailcow or SOGo the browser still return the expired SSL.

Did a search for cert.pem and the results is:
root@mail:~# find / -name "cert.pem" find: ‘/proc/272601’: No such file or directory /opt/mailcow-dockerized/data/assets/ssl/cert.pem /opt/mailcow-dockerized/data/assets/ssl/mail.abc.com/cert.pem

which I proceed to install the cert and key in both directories ./ssl and ./ssl/mail.abc.com and of course restart docker, even went to restart the whole machine but still fail.

Not only does it affect accessing SOGo, because Firefox refused to access sites with expired certificate (had to use incognito mode to bypass), but accessing it using a mail client also comes up with an error.

Where else should I be looking at?

Henry

running · 11 Feb

The ssl directory is /opt/mailcow-dockerized/data/assets/ssl/
This directory is also mapped via docker, and the name used in the configuration file is cert.pem dhparams.pem key.pem
You might want to start by looking at the table of contents of the certificates

Ggnulab · 11 Feb

running yes, I meant I had copied both cert.pem and key.pem to these 2 folders:

/opt/mailcow-dockerized/data/assets/ssl/
/opt/mailcow-dockerized/data/assets/ssl/mail.abc.com/

The names of cert.pem, dhparams.pem, key.pem are nowhere mentioned in the mailcow.conf. Are they supposed to be mentioned?

The certificate and key are definitely valid, I had asked the vendor before posting the question here.

running · 11 Feb

gnulab
You can rename your .pem file to cert.pem and .key file to key.pem and put it in this directory /opt/mailcow-dockerized/data/assets/ssl/

dhparams.pem This file is an intermediate certificate, which can be generated during installation and then put it in this directory /opt/mailcow-dockerized/data/assets/ssl/
Then execute docker-compose up -d

If you don’t use the /opt/mailcow-dockerized/data/assets/ssl/ directory, you’ll need to change the path to the certificate in all configuration files

You can check the nginx configuration in the /opt/mailcow-dockerized/data/conf/nginx directory if you are using the nginx provided by mailcow directly

Without the dhparams.pem file, you won’t be able to see the contents of your mailbox in webmail, so I don’t know what it does

esackbauer · 11 Feb

gnulab do you have enabled ENABLE_SSL_SNI=y`

if it is set to n (which is the default) then you should not use the subdirectory with domain name.
And yes, the names how the cert filenames should be named is in mailcow documentation (your link)
Make sure they are in PEM format, and not DER/CER etc.

running · 11 Feb

esackbauer

Sorry, I’m using a wildcard domain certificate ，
I don’t have the option to enable sni, when I log in to the management interface, it still prompts that the certificate is not trusted, I log in to the management interface through an IP address, and I access it through an external reverse proxy during normal access

DocFraggle · 11 Feb

gnulab restart docker, even went to restart the whole machine but still fail.

That’s not enough. You have to

docker compose down
docker compose up -d