TLS CERT CADDY

[mredodos]

I have read a lot of issue and post about that, but which is the best way to copy/share/use cert from caddy?

[willpower232]

I think this is the best summary I've seen of it #2626 (comment)

[mredodos]

thx.

this is one of the issue i had read, but its not better mount a volume in postal shared with caddy when we install postal?
the concept of copying manually and making a cronjob that continuously copies it does not seem to me to be a "correct" technique, or am I talking nonsense?

[willpower232]

Copying the files is usually easier to avoid any issues when links are used.

Some software needs restarting to follow the new link to the real file contents but also the software probably keeps the file contents in memory anyway so might not be able to avoid restarting.

The automated certificates as usually replaced a month before they expire so either way the workers need restarting every few months.

What you've done below sounds like it will make sense, I guess you have to set a reminder in your calendar to check in in 2.5 months and see what certificate Postal is using.

[mredodos]

while we maybe work out a better method here is a little guide on how to copy and keep certificates up to date.

Monitoring and Updating Postal Certificates

1. Install inotify-tools

Install the toolset which provides inotifywait, used to monitor certificate changes.

sudo apt-get update
sudo apt-get install inotify-tools

2. Create the Monitoring Script

Make a script named monitor_certs.sh:

nano /opt/postal/monitor_certs.sh

Insert the following code:

#!/bin/bash

CERT_DIR="/opt/postal/caddy-data/caddy/certificates/acme.zerossl.com-v2-dv90/YOURDOMAIN/"
CERT_FILE="${CERT_DIR}YOURDOMAIN.crt"
KEY_FILE="${CERT_DIR}YOURDOMAIN.key"

while true; do
    inotifywait -e modify "$CERT_FILE" "$KEY_FILE"

    # Copy the certificates to Postal's configuration directory
    cp "$CERT_FILE" /opt/postal/config/smtp.crt
    cp "$KEY_FILE" /opt/postal/config/smtp.key

    # Adjust permissions to ensure Postal can read the certificates
    chmod o+r /opt/postal/config/smtp.*

    # Restart Postal to use the new certificates
    postal stop && sleep 15 && postal start
done

Make the script executable:

chmod +x /opt/postal/monitor_certs.sh

3. Create a systemd Service

Make a systemd service file:

sudo nano /etc/systemd/system/monitor_certs.service

Insert the following content:

[Unit]
Description=Monitor Caddy Certificates for Postal

[Service]
ExecStart=/opt/postal/monitor_certs.sh
Restart=always
User=your_username 
Group=your_groupname

[Install]
WantedBy=multi-user.target

4. Activate the Service

Reload the systemd daemons:

sudo systemctl daemon-reload

Enable and start the service:

sudo systemctl enable monitor_certs.service
sudo systemctl start monitor_certs.service

5. Initial Manual Certificate Copy

Before the monitoring script takes over, you should manually copy the certificates for the first time:

cp /opt/postal/caddy-data/caddy/certificates/acme.zerossl.com-v2-dv90/YOURDOMAIN/YOURDOMAIN.crt /opt/postal/config/smtp.crt
cp /opt/postal/caddy-data/caddy/certificates/acme.zerossl.com-v2-dv90/YOURDOMAIN/YOURDOMAIN.key /opt/postal/config/smtp.key
chmod o+r /opt/postal/config/smtp.*

6. Test the TLS Connection

To ensure everything is working correctly, test the TLS connection with openssl:

openssl s_client -connect YOURDOMAIN:YOURPORT-starttls smtp

[edellingham]

That's what I pretty much figured. I did update the folders accordingly, but wasn't sure if there was something more complex I should consider.

I guess we'll see how well it works in 90 days :)

[vaztimur]

Thanks for the howto. Can you please explain where i can find my group name? And also the username. Username i guess is the email for login into postal dashboard?

[mredodos]

@vaztimur the 2 names are related to the username and group name of the server like root or another users

[vaztimur]

thank a lot for quick reply. Is it mandatory? or i can let it empty?

[eagles051387]

while we maybe work out a better method here is a little guide on how to copy and keep certificates up to date.

Monitoring and Updating Postal Certificates

1. Install inotify-tools

Install the toolset which provides inotifywait, used to monitor certificate changes.

sudo apt-get update
sudo apt-get install inotify-tools

2. Create the Monitoring Script

Make a script named monitor_certs.sh:

nano /opt/postal/monitor_certs.sh

Insert the following code:

#!/bin/bash

CERT_DIR="/opt/postal/caddy-data/caddy/certificates/acme.zerossl.com-v2-dv90/YOURDOMAIN/"
CERT_FILE="${CERT_DIR}YOURDOMAIN.crt"
KEY_FILE="${CERT_DIR}YOURDOMAIN.key"

while true; do
    inotifywait -e modify "$CERT_FILE" "$KEY_FILE"

    # Copy the certificates to Postal's configuration directory
    cp "$CERT_FILE" /opt/postal/config/smtp.crt
    cp "$KEY_FILE" /opt/postal/config/smtp.key

    # Adjust permissions to ensure Postal can read the certificates
    chmod o+r /opt/postal/config/smtp.*

    # Restart Postal to use the new certificates
    postal stop && sleep 15 && postal start
done

Make the script executable:

chmod +x /opt/postal/monitor_certs.sh

3. Create a systemd Service

Make a systemd service file:

sudo nano /etc/systemd/system/monitor_certs.service

Insert the following content:

[Unit]
Description=Monitor Caddy Certificates for Postal

[Service]
ExecStart=/opt/postal/monitor_certs.sh
Restart=always
User=your_username 
Group=your_groupname

[Install]
WantedBy=multi-user.target

4. Activate the Service

Reload the systemd daemons:

sudo systemctl daemon-reload

Enable and start the service:

sudo systemctl enable monitor_certs.service
sudo systemctl start monitor_certs.service

5. Initial Manual Certificate Copy

Before the monitoring script takes over, you should manually copy the certificates for the first time:

cp /opt/postal/caddy-data/caddy/certificates/acme.zerossl.com-v2-dv90/YOURDOMAIN/YOURDOMAIN.crt /opt/postal/config/smtp.crt
cp /opt/postal/caddy-data/caddy/certificates/acme.zerossl.com-v2-dv90/YOURDOMAIN/YOURDOMAIN.key /opt/postal/config/smtp.key
chmod o+r /opt/postal/config/smtp.*

6. Test the TLS Connection

To ensure everything is working correctly, test the TLS connection with openssl:

openssl s_client -connect YOURDOMAIN:YOURPORT-starttls smtp

I have followed the above but for some reason once implementing these changes as well as changing the SMTP port from 25 to 465 I am getting an error 502 and can no longer access the web interface.

Any ideas as to what is going on here and why this is happening?

[uhlhosting]

On this line:

openssl s_client -connect YOURDOMAIN:YOURPORT-starttls smtp

there is a issue it should be:

openssl s_client -connect YOURDOMAIN:YOURPORT -starttls smtp

with a break after :PORT since otherwise wont work.

[lansaloni]

Hi all.
I tried to use LE certificates as explained in this guide but when I try to send a message with STARTTL it fails and returns this error in the logs:

smtp_1      | [9] [2024-11-26T15:39:12.733] DEBUG -- : [UAEICM] <= STARTTLS
smtp_1      | [9] [2024-11-26T15:39:12.733] DEBUG -- : [UAEICM] => 220 Ready to start TLS
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] An error occurred while processing data from a client.
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] OpenSSL::PKey::RSAError: Neither PUB key nor PRIV key: nested asn1 error
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /opt/postal/app/lib/postal/config.rb:140:in `initialize'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /opt/postal/app/lib/postal/config.rb:140:in `new'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /opt/postal/app/lib/postal/config.rb:140:in `smtp_private_key'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /opt/postal/app/lib/postal/smtp_server/server.rb:41:in `ssl_context'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /opt/postal/app/lib/postal/smtp_server/server.rb:186:in `block (2 levels) in run_event_loop'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /opt/postal/app/lib/postal/smtp_server/server.rb:87:in `select'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /opt/postal/app/lib/postal/smtp_server/server.rb:87:in `block in run_event_loop'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /opt/postal/app/lib/postal/smtp_server/server.rb:85:in `loop'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /opt/postal/app/lib/postal/smtp_server/server.rb:85:in `run_event_loop'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /opt/postal/app/lib/postal/smtp_server/server.rb:261:in `run'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /opt/postal/app/lib/tasks/postal.rake:13:in `block (2 levels) in <top (required)>'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/rake-12.3.3/lib/rake/task.rb:273:in `block in execute'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/rake-12.3.3/lib/rake/task.rb:273:in `each'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/rake-12.3.3/lib/rake/task.rb:273:in `execute'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/rake-12.3.3/lib/rake/task.rb:214:in `block in invoke_with_call_chain'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/2.6.0/monitor.rb:235:in `mon_synchronize'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/rake-12.3.3/lib/rake/task.rb:194:in `invoke_with_call_chain'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/rake-12.3.3/lib/rake/task.rb:183:in `invoke'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/rake-12.3.3/lib/rake/application.rb:160:in `invoke_task'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/rake-12.3.3/lib/rake/application.rb:116:in `block (2 levels) in top_level'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/rake-12.3.3/lib/rake/application.rb:116:in `each'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/rake-12.3.3/lib/rake/application.rb:116:in `block in top_level'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/rake-12.3.3/lib/rake/application.rb:125:in `run_with_threads'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/rake-12.3.3/lib/rake/application.rb:110:in `top_level'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/rake-12.3.3/lib/rake/application.rb:83:in `block in run'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/rake-12.3.3/lib/rake/application.rb:186:in `standard_exception_handling'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/rake-12.3.3/lib/rake/application.rb:80:in `run'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /opt/postal/app/bin/rake:4:in `<top (required)>'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/2.6.0/bundler/cli/exec.rb:74:in `load'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/2.6.0/bundler/cli/exec.rb:74:in `kernel_load'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/2.6.0/bundler/cli/exec.rb:28:in `run'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/2.6.0/bundler/cli.rb:463:in `exec'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/2.6.0/bundler/vendor/thor/lib/thor/command.rb:27:in `run'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/2.6.0/bundler/vendor/thor/lib/thor/invocation.rb:126:in `invoke_command'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/2.6.0/bundler/vendor/thor/lib/thor.rb:387:in `dispatch'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/2.6.0/bundler/cli.rb:27:in `dispatch'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/2.6.0/bundler/vendor/thor/lib/thor/base.rb:466:in `start'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/2.6.0/bundler/cli.rb:18:in `start'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/bundler-1.17.2/exe/bundle:30:in `block in <top (required)>'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/2.6.0/bundler/friendly_errors.rb:124:in `with_friendly_errors'
smtp_1      | [9] [2024-11-26T15:39:12.740] ERROR -- : [UAEICM] /usr/local/lib/ruby/gems/2.6.0/gems/bundler-1.17.2/exe/bundle:22:in `<top (required)>'
smtp_1      | [9] [2024-11-26T15:39:12.741] ERROR -- : [UAEICM] /opt/postal/app/bin/bundle:3:in `load'
smtp_1      | [9] [2024-11-26T15:39:12.741] ERROR -- : [UAEICM] /opt/postal/app/bin/bundle:3:in `<main>'
smtp_1      | [9] [2024-11-26T15:39:23.600] DEBUG -- : [BXKFAP]    Connection opened from ::ffff:80.94.95.235
smtp_1      | [9] [2024-11-26T15:39:23.600] DEBUG -- : [BXKFAP]    Client identified as ::ffff:80.94.95.235

With my purchased certificate, however, everything works correctly.
What am I doing wrong?