coop-cloud/mailu
coop-cloud
/
mailu
1
0
Fork 0
Code Issues 3 Pull Requests Releases Wiki Activity

ssl certs are only reloaded on startup. Mailu serves out of date certificates #10

New Issue
Open
opened 2024-04-02 13:36:09 +00:00 by knoflook · 1 comment
knoflook commented 2024-04-02 13:36:09 +00:00
Owner
Copy Link

The certificates mounted in app container in /certs are getting dumped by traefik-certs-dumperproperly but mailu doesn't scan for them changing.

behavior:
If we have a container running for a really long time (2 months+ uptime because that's how long the letsencrypt certs are valid), the smtp/imap servers will serve the certificate that was loaded 2 months ago which will have expired by this time. Even though the file has been rotated by traefik-certs-dumper.

workaround:
restart the app container every 2 months to load the new certificates lol

The certificates mounted in `app` container in `/certs` are getting dumped by `traefik-certs-dumper`properly but mailu doesn't scan for them changing. behavior: If we have a container running for a really long time (2 months+ uptime because that's how long the letsencrypt certs are valid), the smtp/imap servers will serve the certificate that was loaded 2 months ago which will have expired by this time. Even though the file has been rotated by `traefik-certs-dumper`. workaround: restart the `app` container every 2 months to load the new certificates lol
👍 1
3wordchant commented 2024-04-02 20:44:10 +00:00
Owner
Copy Link

Amazing troubleshooting @knoflook, nice one!

Mailu docs recommend running this after certs are regenerated: docker exec mailu_front_1 nginx -s reload

Is it possible that's enough, if the front container is indeed terminating TLS even for IMAP/SMTP connections? Maybe it's something we can add to the traefik-certdumper config? Or a separate service using inotifywatch to detect changes in certs and reload when there are new ones?

Amazing troubleshooting @knoflook, nice one! [Mailu docs recommend](https://mailu.io/master/maintain.html#external-certs) running this after certs are regenerated: `docker exec mailu_front_1 nginx -s reload` Is it possible that's enough, if the `front` container is indeed terminating TLS even for IMAP/SMTP connections? Maybe it's something we can add to the `traefik-certdumper` config? Or a separate service using `inotifywatch` to detect changes in certs and reload when there are new ones?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
fetchmail-support
arc-dkim
dev
1.1.0+2.0.34
1.0.2+2.0.23
1.0.1+2.0.16
1.0.0+2.0.16
0.2.1+1.9
0.2.0+1.9
0.1.0+1.8
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/mailu#10
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?