docs: SSL - Revise self-signed cert provisioning (#2021)

* docs: SSL - Deprecate internal self-signed cert tool

We no longer support this method with `setup.sh` from v10 onwards, `SSL_TYPE=self-signed` remains supported however. Advice has been revised for users to provide their own self-signed cert or use an external tool with an example provided.

* chore: typo fix

* chore: fix docker cmd

* chore: fix link syntax
This commit is contained in:
Brennan Kinney 2021-06-01 19:56:35 +12:00 committed by GitHub
parent 20fae41541
commit 2a08385578
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -427,39 +427,68 @@ This setup only comes with one caveat: The domain has to be configured on anothe
Use self-signed certificates only for testing purposes! Use self-signed certificates only for testing purposes!
You can generate a self-signed SSL certificate by using the following command: This feature requires you to provide the following files into your [`config/ssl/` directory][docs-optional-config] (internal location: `/tmp/docker-mailserver/ssl/`):
```sh - `${HOSTNAME}-key.pem`
docker run -it --rm -v "$(pwd)"/config/ssl:/tmp/docker-mailserver/ssl -h mail.my-domain.com -t mailserver/docker-mailserver generate-ssl-certificate - `${HOSTNAME}-cert.pem`
- `demoCA/cacert.pem`
# Press enter Where `${HOSTNAME}` is the mailserver [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) (`hostname`(_mail_) + `domainname`(_example.com_), eg: `mail.example.com`).
# Enter a password when needed
# Fill information like Country, Organisation name
# Fill "my-domain.com" as FQDN for CA, and "mail.my-domain.com" for the certificate.
# They HAVE to be different, otherwise you'll get a `TXT_DB error number 2`
# Don't fill extras
# Enter same password when needed
# Sign the certificate? [y/n]:y
# 1 out of 1 certificate requests certified, commit? [y/n]y
# will generate:
# config/ssl/mail.my-domain.com-key.pem (used in postfix)
# config/ssl/mail.my-domain.com-req.pem (only used to generate other files)
# config/ssl/mail.my-domain.com-cert.pem (used in postfix)
# config/ssl/mail.my-domain.com-combined.pem (used in courier)
# config/ssl/demoCA/cacert.pem (certificate authority)
```
!!! note
The certificate will be generate for the container `fqdn`, that is passed as `-h` argument.
Check the following page for more information regarding [postfix and SSL/TLS configuration](http://www.mad-hacking.net/documentation/linux/applications/mail/using-ssl-tls-postfix-courier.xml).
To use the certificate: To use the certificate:
- Add `SSL_TYPE=self-signed` to your container environment variables - Add `SSL_TYPE=self-signed` to your container environment variables.
- If a matching certificate (files listed above) is found in `config/ssl`, it will be automatically setup in postfix and dovecot. You just have to place them in `config/ssl` folder. - If a matching certificate (files listed above) is found in `config/ssl`, it will be automatically setup in postfix and dovecot. You just have to place them in `config/ssl` folder.
#### Generating a self-signed certificate
!!! note
Since v10, support in `setup.sh` for generating a self-signed SSL certificate internally was removed.
It is now similar to `SSL_TYPE=manual` (_except `manual` does not support verification for a custom CA_), but does not require additional ENV vars for providing the location of cert files.
One way to generate self-signed certificates is with [Smallstep's `step` CLI](https://smallstep.com/docs/step-cli). This is exactly what [`docker-mailserver` does for creating test certificates](https://github.com/docker-mailserver/docker-mailserver/tree/master/test/test-files/ssl/example.test).
For example with the FQDN `mail.example.test`, you can generate the required files by running:
```sh
#! /bin/sh
mkdir -p demoCA
step certificate create "Smallstep Root CA" "demoCA/cacert.pem" "demoCA/cakey.pem" \
--no-password --insecure \
--profile root-ca \
--not-before "2021-01-01T00:00:00+00:00" \
--not-after "2031-01-01T00:00:00+00:00" \
--san "example.test" \
--san "mail.example.test" \
--kty RSA --size 2048
step certificate create "Smallstep Leaf" mail.example.test-cert.pem mail.example.test-key.pem \
--no-password --insecure \
--profile leaf \
--ca "demoCA/cacert.pem" \
--ca-key "demoCA/cakey.pem" \
--not-before "2021-01-01T00:00:00+00:00" \
--not-after "2031-01-01T00:00:00+00:00" \
--san "example.test" \
--san "mail.example.test" \
--kty RSA --size 2048
```
If you'd rather not install the CLI tool locally to run the `step` commands above; you can save the script above to a file such as `generate-certs.sh` (_and make it executable `chmod +x generate-certs.sh`_) in a directory that you want the certs to be placed, then run that script with docker:
```sh
# --user to keep ownership of the files to your user and group ID
docker run --rm -it \
--user "$(id -u):$(id -g)" \
--volume "${PWD}:/tmp" \
--workdir "/tmp" \
--entrypoint "/tmp/generate-certs.sh" \
smallstep/step-ca
```
## Custom Certificate Files ## Custom Certificate Files
You can also provide your own certificate files. Add these entries to your `docker-compose.yml`: You can also provide your own certificate files. Add these entries to your `docker-compose.yml`:
@ -625,6 +654,8 @@ if [ "$certcheck_2weeks" = "Certificate will not expire" ]; then
fi fi
``` ```
[docs-optional-config]: ../advanced/optional-config.md
[github-file-compose]: https://github.com/docker-mailserver/docker-mailserver/blob/master/docker-compose.yml [github-file-compose]: https://github.com/docker-mailserver/docker-mailserver/blob/master/docker-compose.yml
[github-issue-1440]: https://github.com/docker-mailserver/docker-mailserver/issues/1440 [github-issue-1440]: https://github.com/docker-mailserver/docker-mailserver/issues/1440
[hanscees-renewcerts]: https://github.com/hanscees/dockerscripts/blob/master/scripts/tomav-renew-certs [hanscees-renewcerts]: https://github.com/hanscees/dockerscripts/blob/master/scripts/tomav-renew-certs