Specify key_type for one domain

rhys · May 11, 2020, 10:51am

1. Caddy version (`caddy version`):

v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=

2. How I run Caddy:

a. System environment:

Ubuntu 18.04

b. Command:

caddy reload

d. My complete Caddyfile or JSON config:

https://mail.domain.com {
    tls yourcurrentemail@gmail.com {
        key_type  rsa2048
    }
}

3. The problem I’m having:

I’m trying to change the key type for one domain in order to generate keys for GitHub - docker-mailserver/docker-mailserver: Production-ready fullstack but simple mail server (SMTP, IMAP, LDAP, Antispam, Antivirus, etc.) running inside a container.

4. Error messages and/or full log output:

reload: adapting config using caddyfile: parsing caddyfile tokens for 'tls': Caddyfile:68 - Error during parsing: unknown subdirective: key_type

5. What I already tried:

I tried adding the key_type to the tls directive of the domain.

6. Links to relevant resources:

The following forum post seems to indicate this should work:

Though key_type is not mentioned in the directive documentaton.

This issue on the docker mailserver github also suggests this solution, but may be for v1.

github.com/docker-mailserver/docker-mailserver

Using Let's encrypt certs obtained with Caddy, not working so far

opened 03:14PM - 29 Mar 20 UTC

closed 12:39PM - 04 May 20 UTC

qdm12

## Context I am trying to setup this project, everything seems to work but tl…s certificates. I use Caddy to renew automatically Let's Encrypt certificates (private.key and public.crt). I have digged into existing issues but haven't found an answer really. The container has hostname `mail` and DNS configuration also uses `mail` for the FQDN. I use the environment variables: ``` SSL_TYPE=manual SSL_CERT_PATH=/tmp/ssl/cert/public.crt SSL_KEY_PATH=/tmp/ssl/private/private.key ``` With my docker-compose.yml volumes as ```yml - ../caddy/data/acme/acme-v02.api.letsencrypt.org/sites/mail.domain.tld/mail.domain.tld.crt:/tmp/ssl/cert/public.crt:ro - ../caddy/data/acme/acme-v02.api.letsencrypt.org/sites/mail.domain.tld/mail.domain.tld.key:/tmp/ssl/private/private.key:ro ``` And verified with `docker exec` that these are present and right, and also copied properly to `/etc/postfix/` by the startup script. All ports are also port forwarded on my router, DNS settings should be correct as well. ## Expected Behavior 1. Running `docker exec mail openssl s_client -connect 0.0.0.0:25 -starttls smtp -CApath /etc/ssl/certs/` should give some certificates information and no error 2. Logging in with my Gmail Android app should not fail, using `username@mail.domain.tld`, `IMAP`, with incoming and outgoing username and server as `username@domain.tld` and `mail.domain.tld` respectively. ## Actual Behavior 1. Gives the following message: ``` CONNECTED(00000003) 140342221178112:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 294 bytes and written 326 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- ``` 2. I get the warning message in my app `Email security not guaranteed... The highest security available may not be supported`. In the Docker logs I get (all at the same second I try to login): ``` mail postfix/submission/smtpd[2064]: connect from er4.x[192.168.2.1] mail postfix/submission/smtpd[2064]: SSL_accept error from er4.x[192.168.2.1]: -1 mail postfix/submission/smtpd[2064]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1419: mail postfix/submission/smtpd[2064]: lost connection after STARTTLS from er4.x[192.168.2.1] mail postfix/submission/smtpd[2064]: disconnect from er4.x[192.168.2.1] ehlo=1 starttls=0/1 commands=1/2 mail postfix/submission/smtpd[2064]: connect from er4.x[192.168.2.1] mail postfix/submission/smtpd[2064]: lost connection after UNKNOWN from er4.x[192.168.2.1] mail postfix/submission/smtpd[2064]: disconnect from er4.x[192.168.2.1] unknown=0/2 commands=0/2 ``` ## Possible Fix - The certs are definitely picked up by postfix as if I give another domain certs, I will obtain a warning in my Gmail app about it being for another domain. - The certificate (public.crt) contains two certificates (two `BEGIN CERTIFICATE`), is this expected - The private key (private.key) is an EC key ## Steps to Reproduce Try using certificates obtained from Caddy and its Lets encrypt implementation. There might be an issue with my configuration as well. ## Your Environment * Amount of RAM available: * Mailserver version used: `latest` (pulled 2 days ago) * Docker version used: 19.03.5-ce

francislavoie · May 11, 2020, 1:55pm

Currently key_type is only available as a global option in the Caddyfile:

If you need deeper customization, you’ll need to use JSON configuration instead. You can convert your current config to JSON with the caddy adapt command.

rhys · May 11, 2020, 3:51pm

Thanks for the reply. How difficult would it be to enable this in the Caddyfile? I’m willing to try to make a PR but have only got limited go experience.

In the mean time I have generated the json and modified the tls section like this:

		"tls": {
			"automation": {
				"policies": [
					{
						"issuer": {
							"email": "my@email.com",
							"module": "acme"
						}
					},
					{
						"subjects": [
							"mail.domain.com"
						],
						"key_type": "rsa2048",
						"issuer": {
							"email": "my@email.com",
							"module": "acme"
						}
					}
				]
			}
		}

Is that correct? It doesn’t seem to have modified the keys, do I need to delete the old ones?

francislavoie · May 11, 2020, 4:02pm

I’m pretty sure that order matters for the policies, you’ll likely need to swap them so the most specific one is matched first.

I’m not sure whether you need to get rid of the old keys, you could try backing them up from your data directory to see if they generate differently for you.

It’s a tricky problem. The tls directive is per-site, but in JSON the tls app is “global”. We have some pretty complex logic that consolidates TLS settings when adapting to JSON. I think @matt will need to decide if this is something worth exploring.

rhys · May 11, 2020, 4:47pm

Swapping the order of the policies and deleting the old keys worked. Thanks

matt · May 11, 2020, 4:49pm

I don’t think it’s difficult. We already do similar logic for the ACME account email address and such. Just doesn’t seem very useful to have different key types. Why do you need this feature in the Caddyfile?

rhys · May 11, 2020, 5:06pm

I wanted the rsa2048 keys to use with docker-mailserver (all in one self hosted mail server stack container) which currently doesn’t support the default keys (EC?). I don’t know if that issue is specific to the docker image, or some element of the tech within.

I’m managing my Caddy config manually as its just for my personal server with various apps running so it would be nicer to use the Caddyfile syntax as opposed to the full json structure.

matt · May 12, 2020, 5:09am

Well, I think you’re the first to ask for that feature (in the Caddyfile, specifically – since it can already be done in the JSON).

It’s not a high priority for me to implement at this time but we could review a PR if you wanted to jump on it. Otherwise, just choose a maximally-compatible key type globally in the meantime, or tweak the JSON (it’s really not that bad, just explore the structural docs for a bit - I hand-craft or fine-tune JSON configs all the time).

rhys · May 12, 2020, 8:21am

Yeh you are right, the JSON is not nearly as daunting as it first looks and I’ve now got my config in YAML so its almost as concise as the Caddyfile format.

Thanks for all the help, very pleased with Caddy atm

system · June 11, 2020, 8:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.