are you still using services.nginx because that won't work with nixcloud.TLS and therefore ACME will only create self-signed certifictes.

you need to enable nixcloud.reverse-proxy on port 80 in combination to this setup so that you actually can query valid let's encrypt certifictes.

from nixcloud-webservices.

we've just released hack-your-service

this is pretty much like services.apache or services.nginx. try it!

from nixcloud-webservices.

hack ahead: if you still want to use services.nginx or services.apache you can define a webpage running on the 'domain' in question so that security.acme is able to query the certificate when needed. but then you have to reload the postfix.service and dovecot2.service manually from time to time since they don't know about updated certificates.

from nixcloud-webservices.

are you still using services.nginx because that won't work with nixcloud.TLS and therefore ACME will only create self-signed certifictes.

As I said, I setup a new NixOS host with a sole purpose to not have any other service like Nginx running, which could interfer with the setup. Also I just did

cd /var/lib
rm -rf acme/ dovecot/ virtualMail/

to get sure, that all the certs I have come from Nixcloud. After rebuilding the system, the problem persists.

I don't want to run any other web service, just email. There is really nothing else configured on the server, besides of a tinc VPN for maintenance. The text on the email documentation suggests, that I get a Let's encrypt certificate by default, not a self signed one:

When using nixcloud.email.enableTLS = true;, which is a default we automatically acquires a let's encrypt TLS certificate for your mail server.

Also the "basic example" section gives me the impression, that it results in a mail server, where my users don't have to accept a self signed certificate from "Warwickshire".

The overall presentation of the email module gave me the impression, that it provides me a abstraction for a mail server, that "works out of the box" but still gives me the possibilty to manipulate the service on the deeper level. At the moment I have no time for hacking. Is this a use case of nixcloud.email?

from nixcloud-webservices.

@erictapen i've been looking into your issue and the problem is that:

the problem

1. acme-mail.someserver.com.service was able to get a certificate after a while
2. but https://github.com/NixOS/nixpkgs/blob/release-18.03/nixos/modules/security/acme.nix#L296 uses a privateTmp
3. but https://github.com/NixOS/nixpkgs/blob/release-18.03/nixos/modules/security/acme.nix#L239 seems not to be able to read it and thus is not executed

and what i've seen on your system is that there were let's encrypt certificates but the services weren't restarted after those had been retrieved successfully. at the moment i think this is an issue of security.acme and that it is related to the condition to run the postRun hook (which, as i said, was never run and can't be run manually either...)

will look into this either later today or tomorrow.

the hack solution

• you need to reboot the machine (easy)
• you need to restart all jobs mentioned in the postRun hook, see systemctl cat acme-mail.someserver.com.service's ExecStopPost script
• or restart all manually like: systemctl restart dovecot2 and systemctl restart postfix

the solution

we need to figure why the postRun in security.acme is actually existent and not just a part of the ExecStart. at the moment i can't think of any good reason ...

from nixcloud-webservices.

filed a bug NixOS/nixpkgs#40874

from nixcloud-webservices.

now i'd like to move away from security.acme, see this NixOS/nixpkgs#34941

from nixcloud-webservices.

@erictapen i think we'll move away from security.acme in the long run (next few weeks) and until then you should not get any certificate issues for the server in question. for all the new installation simply restart the server (easiest) or reload the services in question manually (more work).

@erictapen i'll leave this issue open until we fixed it. thanks for your help!

from nixcloud-webservices.

Works like a charm now, many thanks!

from nixcloud-webservices.

By the way: Today I learned about nixos/tests/common/letsencrypt.nix. This looks like a module which emulates the Let's Encrypt API, so one can test for issues like this automatically.

from nixcloud-webservices.