Axigen Traefik and LetsEncrypt

Elielam · August 14, 2020, 6:56pm

Hello,

Environnement

Ubuntu 18.04
Docker version 19.03.12
Docker Compose version 1.26.2

Versions

Server version: 10.3.2.11
WebMail version: 10.3.2.11.0
WebAdmin version: 10.3.2.11.0

Compose File

traefik:
image: traefik:v1.7.16
container_name: traefik
restart: unless-stopped
command: --docker --api --docker.domain=${DOMAIN}
networks:
  external:
    ipv4_address: xxx.xx.x.xx
ports:
  - "80:80"
  - "443:443"
volumes:
  - /opt/containers/proxy/traefik.toml:/traefik.toml
  - /opt/containers/proxy/acme/acme.json:/acme/acme.json
  - /var/run/docker.sock:/var/run/docker.sock
environment:
  - PUID=0
  - PGID=0
  - TZ=${TIMEZONE}
labels:
  - traefik.enable=true
  - traefik.backend=Proxy
  - traefik.frontend.rule=Host:proxy.${DOMAIN},www.proxy.${DOMAIN}
  - traefik.port=8080
  - traefik.docker.network=external

mailserver:
image: axigen/axigen
container_name: mailserver
restart: unless-stopped
domainname: ${DOMAIN}
hostname: mail
networks:
  external:
    ipv4_address: xxx.xx.x.xx
ports:
  - "25:25"       # SMTP
  - "465:465"     # SMTP - TLS
  - "587:587"     # SMTP - STARTTLS
  - "143:143"     # IMAP
  - "993:993"     # IMAPS - TLS
  - "110:100"     # POP3
  - "995:995"     # POP3 - TLS
  - "7000:7000"   # CLI
environment:
  - TZ=${TIMEZONE}
volumes:
  - /opt/containers/mailserver:/var/opt/axigen
labels:
  - traefik.enable=true
  - traefik.docker.network=external
  - traefik.mail.frontend.rule=Host:mail.${DOMAIN},www.mail.${DOMAIN} # This rule actually don't do anything except create an unused cert
  - traefik.admin.frontend.rule=Host:admin.mail.${DOMAIN},www.admin.mail.${DOMAIN}
  - traefik.admin.port=9000
  - traefik.web.frontend.rule=Host:web.mail.${DOMAIN},www.web.mail.${DOMAIN}
  - traefik.web.port=80

Issue

So I read the docs about the creation of a LetsEncrypt cert.
When I want to create a certificate through the admin interface I encounter the following error: “The SSL certificate could not be generated!” (Case 1).

I tried to modify my request file (attached below) to remove the https:// (which seems to create a folder creation error) but after that I encounter another error: “generate_failed” (Case 2).

I saw an answer on the forum to a similar problem which explained that the port 80 of axigen had to be accessible from the outside, in case of change of port should I do a redirect?

Another case with much the same error message as mine saw its problem corrected via v3, it is not my case.

I am attaching you the two request files as well as the corresponding logs.

Scenario

Case 1

Nothing is done.

Case 2

A folder mail.domain.tld is created with inside a account_priv.key file.

Logs

CASE 1

request file 1

{
    "current": {
        "accept-terms":"yes",
        "commonName":"https:\/\/mail.domain.tld",
        "contactMail":"",
        "type":"0"
     },
    "state": {"id":"0"},
    "requests": []
}

logs file 1

2020-08-14 18:42:51.581 +0000 08 mail JOBLOG:70000008: LetsE: Acme job executing
2020-08-14 18:42:51.581 +0000 08 mail JOBLOG:70000008: LetsE: Found current request
2020-08-14 18:42:51.581 +0000 08 mail JOBLOG:70000008: LetsE: Generating account private key... 
2020-08-14 18:42:51.581 +0000 02 mail JOBLOG:70000008: LetsE: Failed to create dir /var/opt/axigen/letsencrypt/https://mail.domain.tld error 2
2020-08-14 18:42:51.581 +0000 02 mail JOBLOG:70000008: LetsE: error generating account keys
2020-08-14 18:42:51.581 +0000 02 mail JOBLOG:70000008: LetsE: Unable to access required files

CASE 2

request file 2

{
    "current": {
        "accept-terms":"yes",
        "commonName":"mail.domain.tld",
        "contactMail":"",
        "type":"0"
     },
    "state": {"id":"0"},
    "requests": []
}

logs file 2

2020-08-14 18:47:21.965 +0000 08 mail JOBLOG:70000000: LetsE: Acme job executing
2020-08-14 18:47:21.965 +0000 08 mail JOBLOG:70000000: LetsE: Found current request
2020-08-14 18:47:21.966 +0000 08 mail JOBLOG:70000000: LetsE: AcmeInitState for mail.elielaloum.com executing
2020-08-14 18:47:22.823 +0000 08 mail JOBLOG:70000000: LetsE: Response code 200
2020-08-14 18:47:22.823 +0000 08 mail JOBLOG:70000000: LetsE: Account location is https://acme-v02.api.letsencrypt.org/acme/acct/93948539, TOS URI is https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2020-08-14 18:47:22.823 +0000 02 mail JOBLOG:70000000: LetsE: Acme init state completed, moving to reg state
2020-08-14 18:47:22.824 +0000 08 mail JOBLOG:70000000: LetsE: Job step action => Proceeding to next state
2020-08-14 18:47:22.824 +0000 08 mail JOBLOG:70000000: LetsE: AcmeRegState for mail.elielaloum.com executing
2020-08-14 18:47:23.105 +0000 08 mail JOBLOG:70000000: LetsE: Response code 201
2020-08-14 18:47:23.282 +0000 02 mail JOBLOG:70000000: LetsE: Acme reg state completed, moving to challenge state
2020-08-14 18:47:23.283 +0000 08 mail JOBLOG:70000000: LetsE: Job step action => Proceeding to next state
2020-08-14 18:47:23.283 +0000 08 mail JOBLOG:70000000: LetsE: AcmeChallengeState for mail.elielaloum.com executing
2020-08-14 18:47:23.646 +0000 08 mail JOBLOG:70000000: LetsE: Response code 200
2020-08-14 18:47:23.646 +0000 08 mail JOBLOG:70000000: LetsE: Job step action => Waiting is needed, going to sleep
2020-08-14 18:47:38.280 +0000 08 mail JOBLOG:70000001: LetsE: Acme job executing
2020-08-14 18:47:38.280 +0000 08 mail JOBLOG:70000001: LetsE: AcmeChallengeState for mail.elielaloum.com executing
2020-08-14 18:47:38.450 +0000 08 mail JOBLOG:70000001: LetsE: Challenge status still pending, need to wait some more for mail.elielaloum.com
2020-08-14 18:47:38.454 +0000 02 mail JOBLOG:70000001: LetsE: Job step action => Connection-related error, re-attempting after 15 seconds

nitromaroder · September 7, 2020, 8:58am

Hi,

If you are using Traefik, then why not generate the certificates by Traefik like described here:

Traefik Proxy with HTTPS - Docker Swarm Rocks

or this one for newer version:

Traefik Proxy with HTTPS - Docker Swarm Rocks

HTH,
Denis

Elielam · September 15, 2020, 8:23am

Hi,

First thank you for your answer.

I generate my certs used by Traefik like this, the problem is all certs are store in a acme.json file.
I don’t know how to retrieve them and use them with axigen.

nitromaroder · September 15, 2020, 6:55pm

Hi,

You don’t need to retrieve the certificates at all, just use Traefik for the SSL termination - and forward the ports to the Web-UI. If you of course needs the certificates for POP/IMAP/SMTP services, then the easiest way of course is to create certificates on the Axigen side.

I am using HAproxy (tcp mode) as main proxy, which then passes (depending on the fqdn) the requests either directly to the Swarm Cluster (where SSL termination is happening), or directly to the desired services (SMTP, IMAP, etc.) - this works great!

Here is a sniplet of my “haproxy.cfg”:

 # http frontend for non-ssl sites
frontend http
bind *:80
mode http
use_backend letsencrypt-backend if { hdr(Host) -i axigen.example.com } { path_beg /.well-known/acme-challenge/ }
option forwardfor
use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/http.map)]

# https frontend for tcp passthru ssl sites
frontend https
bind *:443
mode tcp
tcp-request inspect-delay 10s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend %[req.ssl_sni,lower,map_dom(/etc/haproxy/sni.map,nonSNIhttps_back)]

I use the acl on the ending “.well-known” to forward all requests w.o. SSL to specified hosts, i.e. axigen.example.com - thus everything works as expected (i.e. certificates are being generated on both Traefik, which runs on Docker Swarm, and of course other services behind FQDN’s, such as Axigen in this example.

I hope this helps!

Best regards,
Denis

P.S.: I have moved from Axigen to Dovecot + Postfix + SOGo setup, as I couldn’t bring the Card- and CalDAV to work, so I won’t be often here anymore!

Elielam · September 16, 2020, 3:38pm

Thank you very much for your help, you are giving me some answers which were necessary to solve this problem.