Comments (10)
are you still using services.nginx
because that won't work with nixcloud.TLS
and therefore ACME will only create self-signed certifictes.
you need to enable nixcloud.reverse-proxy
on port 80 in combination to this setup so that you actually can query valid let's encrypt certifictes.
from nixcloud-webservices.
we've just released hack-your-service
this is pretty much like services.apache
or services.nginx
. try it!
from nixcloud-webservices.
hack ahead: if you still want to use services.nginx
or services.apache
you can define a webpage running on the 'domain' in question so that security.acme
is able to query the certificate when needed. but then you have to reload the postfix.service
and dovecot2.service
manually from time to time since they don't know about updated certificates.
from nixcloud-webservices.
are you still using services.nginx because that won't work with nixcloud.TLS and therefore ACME will only create self-signed certifictes.
As I said, I setup a new NixOS host with a sole purpose to not have any other service like Nginx running, which could interfer with the setup. Also I just did
cd /var/lib
rm -rf acme/ dovecot/ virtualMail/
to get sure, that all the certs I have come from Nixcloud. After rebuilding the system, the problem persists.
I don't want to run any other web service, just email. There is really nothing else configured on the server, besides of a tinc VPN for maintenance. The text on the email documentation suggests, that I get a Let's encrypt certificate by default, not a self signed one:
When using nixcloud.email.enableTLS = true;, which is a default we automatically acquires a let's encrypt TLS certificate for your mail server.
Also the "basic example" section gives me the impression, that it results in a mail server, where my users don't have to accept a self signed certificate from "Warwickshire".
The overall presentation of the email module gave me the impression, that it provides me a abstraction for a mail server, that "works out of the box" but still gives me the possibilty to manipulate the service on the deeper level. At the moment I have no time for hacking. Is this a use case of nixcloud.email
?
from nixcloud-webservices.
@erictapen i've been looking into your issue and the problem is that:
the problem
acme-mail.someserver.com.service
was able to get a certificate after a while- but https://github.com/NixOS/nixpkgs/blob/release-18.03/nixos/modules/security/acme.nix#L296 uses a privateTmp
- but https://github.com/NixOS/nixpkgs/blob/release-18.03/nixos/modules/security/acme.nix#L239 seems not to be able to read it and thus is not executed
and what i've seen on your system is that there were let's encrypt certificates but the services weren't restarted after those had been retrieved successfully. at the moment i think this is an issue of security.acme
and that it is related to the condition to run the postRun
hook (which, as i said, was never run and can't be run manually either...)
will look into this either later today or tomorrow.
the hack solution
- you need to reboot the machine (easy)
- you need to restart all jobs mentioned in the postRun hook, see
systemctl cat acme-mail.someserver.com.service
's ExecStopPost script - or restart all manually like:
systemctl restart dovecot2
andsystemctl restart postfix
the solution
we need to figure why the postRun
in security.acme
is actually existent and not just a part of the ExecStart
. at the moment i can't think of any good reason ...
from nixcloud-webservices.
filed a bug NixOS/nixpkgs#40874
from nixcloud-webservices.
now i'd like to move away from security.acme
, see this NixOS/nixpkgs#34941
from nixcloud-webservices.
@erictapen i think we'll move away from security.acme
in the long run (next few weeks) and until then you should not get any certificate issues for the server in question. for all the new installation simply restart the server (easiest) or reload the services in question manually (more work).
@erictapen i'll leave this issue open until we fixed it. thanks for your help!
from nixcloud-webservices.
Works like a charm now, many thanks!
from nixcloud-webservices.
By the way: Today I learned about nixos/tests/common/letsencrypt.nix
. This looks like a module which emulates the Let's Encrypt API, so one can test for issues like this automatically.
from nixcloud-webservices.
Related Issues (20)
- Configure addition reverse-proxy options with static-darkhttpd
- Missing submodules in Nixos HOT 4
- nixos-19.09: directories test fails
- nixos-19.09: containers test fails HOT 1
- nixcloud.TLS fails in nixos-19.09 HOT 2
- 20.09: loaOf in users.users and users.groups makes nixcloud-webservices throw an error HOT 2
- 20.09: missing /var/{cache,log}/nginx directories prevent nixcloud.reverse-proxy to start HOT 2
- 20.09: preliminary self-signed certificates fail to generate HOT 5
- documentation: add remote repo inclusion recipe (as preferred installation method?)
- webmail not working (on 20.09)
- rspamd not working (on 20.09) due to option users.users error HOT 1
- Infinite recursion on nixos 21.05 HOT 3
- NOTICE: nixcloud-webservices is unmaintained
- porting from 20.03 to 20.09: '_module' missing HOT 3
- porting from 20.03 to 20.09: The option `meta.description' defined in `nixcloud-webservices/modules/web/services/roundcube' does not exist. HOT 1
- porting from 20.03 to 20.09: The option value `users.users' in `/nix/store/ihx06ak2767z80ri7i5wamiacnd16asp-source/nixos/modules/services/mail/rspamd.nix' is not of type `attribute set of submodules' HOT 1
- port perl based tests to python HOT 3
- Update rspamd 2.2 to 2.5 HOT 1
- 20.09 required features list HOT 1
- nixcloud.directories fails to execute HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nixcloud-webservices.