custom certificate not working - old certificates still used

WolfTongue

Hello,

I want to use my own reverse proxy which is working perfectly fine with my mailcow webinterfaces. The only thing is about the certificates.

I followed the steps described here: https://docs.mailcow.email/post_installation/firststeps-ssl/#how-to-use-your-own-certificate

disable letsencrypt
keep track about your own cert.pem and key.pem (using fullchain.pem and privkey.pem from issued letsencrypt cert of my reverse proxy)
restart postfix, nginx and dovecot

Right now it somehow uses my old certificate which was made by LetsEncrypt and should expire end of this month. Somehow it is not switching to the new one and I really need help here.

Things I discovered:

postfix uses /etc/ssl/certs/ssl-cert-snakeoil.pem (and same name but .key) which is still the old certificate (no idea where this is put in from)
working old letsencrypt cert is SHA256withRSA and new is SHA384withECDSA

Things I did:

full restart docker compose down and docker compose up -d
server restart
verified that the cert name and alt names are the same (they are even in correct order)

I checked log files but I was unable to discover errors. All services are up and running but all are using the old certificate. Can someone please help me why it is not working?

esackbauer

WolfTongue keep track about your own cert.pem and key.pem

What do you mean with “keep track”? those files have to be copied from the reverse proxy (not linked!) and have to use exactly these names.

WolfTongue

I am using a script which is exactly doing the same as the post hook script from the documentation: https://docs.mailcow.email/post_installation/reverse-proxy/r_p/#optional-post-hook-script-for-non-mailcow-acme-clients

It copies the files so that there is a cert.pem and a key.pem. I checked both and both are perfectly fine. I checked the postfix-mailcow container and they get correctly mounted into /etc/ssl/mail with the correct content (can be access from within the container). Also the permissions seem to be fine: key.pem is 600 and cert.pem is 644

esackbauer

Mailcow keeps using the default “snakeoil” certificates if the replacement process is incomplete, or if the correct filenames, permissions, or container reloads are missing after copying custom certificates to /data/assets/ssl
Check if all SAN names required are included in the LE cert from the proxy (e.g. also autodiscover, autoconfig as indicated in DNS requirements.

WolfTongue

esackbauer Thx for the fast feedback.
The DNS entries are fine, one SRV was missing so it was a good hint. But all in all it did not change anything unfortunately. I used the proposed tests which passed all so it should be fine

Can it be that an RSA certificate is needed and ECDSA is just not working? Also do you know where to find the snakeoil implementation than I could read through the code