Let's Encrypt with Apache/Http Frontend

[PMB]

Hello,

I know that PMG 6/7 now comes with ACME for the Let's encrypt ssl certificates and works only in standalone/http mode (My Dns APi is not on the ACME list).

The problem is that I have an Apache to redirect from HTTP to HTTPS so users can access their e-mail servers, pmg is on the same server.

So PMG listens on port 25 and the mail server (webmail) listens on 443, port 80 is redirected to 443 always thru apache (except the .well-known).

I already have an Acme cron that renews the certificate and copies it to the mail server to accept requests for 587 and 465.

Finally the questions:

- Is there any way to have those certificates already generated to be copied and used in the SMTP and API PMG ? Is it just copy/paste and restart pmg ?

- I cannot run the ACME inside PMG as it does not work because apache is already on port 80. - Is it possible to change this behaviour and have it use the apache??

thanks in advance,

P.

 

[Stoiko Ivanov]

- Is there any way to have those certificates already generated to be copied and used in the SMTP and API PMG ? Is it just copy/paste and restart pmg ?

yes exactly copy them to /etc/pmg/pmg-tls.pem (postfix) and /etc/pmg/pmg-api.pem (pmgproxy) - restarting pmgproxy.service and postfix.service should be enough
see the reference documentation: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#sysadmin_certificate_management

- I cannot run the ACME inside PMG as it does not work because apache is already on port 80. - Is it possible to change this behaviour and have it use the apache??

No this is currently not possible

I hope this helps!

 

[PMB]

yes exactly copy them to /etc/pmg/pmg-tls.pem (postfix) and /etc/pmg/pmg-api.pem (pmgproxy) - restarting pmgproxy.service and postfix.service should be enough
see the reference documentation: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#sysadmin_certificate_management

This works. But for some reason it was only working for the API the SMTP/TLS was not refreshing I do not know why.

No this is currently not possible

I hope this helps!

Will it be possible? It sounds like a goos option to have an external HTTP that does this verification. All we have to do is just add the -w /folder/to/html option and it works....

regards,

P.

 

[Stoiko Ivanov]

This works. But for some reason it was only working for the API the SMTP/TLS was not refreshing I do not know why.

you copied the certificate to /etc/pmg/pmg-tls.pem and ran `systemctl restart postfix` afterwards?
This should really be enough
you can verify the certificate with `openssl s_client -connect your.pmg.ip.addr:25 -starttls smtp`

Will it be possible? It sounds like a goos option to have an external HTTP that does this verification. All we have to do is just add the -w /folder/to/html option and it works....

currently not really planned - for the following reasons:
* there are tons of good implemenations out there (acme.sh, certbot) which handle this already quite fine - you can use any of them and configure them on the cli
* you can just not listen on port 80 (at the cost of the missing redirect http->https)
* the acme-implementation in the proxmox products is meant to work in a default setup and be comfortable for that - having options that only work in specific setups (having an externally installed and configured http server running) makes not too much sense

I hope this explains it!

 

[PMB]

you copied the certificate to /etc/pmg/pmg-tls.pem and ran `systemctl restart postfix` afterwards?
This should really be enough
you can verify the certificate with `openssl s_client -connect your.pmg.ip.addr:25 -starttls smtp`

I'll try it and let you know.

currently not really planned - for the following reasons:
* there are tons of good implemenations out there (acme.sh, certbot) which handle this already quite fine - you can use any of them and configure them on the cli
* you can just not listen on port 80 (at the cost of the missing redirect http->https)
* the acme-implementation in the proxmox products is meant to work in a default setup and be comfortable for that - having options that only work in specific setups (having an externally installed and configured http server running) makes not too much sense

I hope this explains it!

Ok, you've got a point, how about implementing a Nginx/apache like redirect in the Proxmox HTTP Server?

We could say something like:

Normal Redirect:
All http goes to https

Afterwards:
api.mydomain.com goes to api.mydomain.com:8006 - FrontEnd for proxmox
mail.mydomain.com goes to mywebmail.mydomain.com - My WebMail server (actually localhost:443 in my case)

What I have in my apache is like this:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^\/\.well-known\/.*$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}


So I redirect eveything to https and do not redirect the .well-known as it is answered in http with the acme plugin.

On the https part is was like this but I disabled it and got my webmail directly on port 443 and promox satys in 8006.

SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

ProxyPreserveHost On

ProxyPass / https://xxx.xxxx.xxx.xxx:8006/
ProxyPassReverse / https://xxx.xxxx.xxx.xxx:8006/

I didn't get to the point where I would have the redirect per name.

Nevertheless is it worth considering for pmg?


best regards,

P.

 

[PMB]

I'll try it and let you know.

It worked!!!

Did you managed to take a look at the request I've done about the redirect? Is there anywhere I can submit it to be considered on a former release?


best regards,

P.