I have an Nginx Proxy Manager server in front of my various web-facing servers and my mail server (modoboa). The issue I’m facing is that my mail server wants the ssl_certificate for the nginx configuration locally. Where another service has some web-facing portal, I can just define a simple server context with port 80 on said server and use Nginx Proxy Manager to handle Let’s Encrypt certs and 443 proxying. Currently, my work-around for the mail server is to generate the SSL certificates on the Nginx Proxy Manager server then manually copy them to the appropriate locations defined by the mail server’s nginx configuration. This has several downsides, the most important of which is that these certs are rather short-lived and need renewing which then necessitates re-copying them (and remembering to do so!).
I’m sure this is an issue that is easily addressed. I would just like my Nginx Proxy Manager to be the sole SSL repository and for upstream servers like my mail server to look to it for SSL certs. I’ve searched extensively, however, and this seems to be particularly challenging for mail applications due to limitations on things like, e.g., streams for nginx. Hopefully someone here can point me to a simple guide for improving my network.
The above is my current configuration. I’ve tried various proxy and mail context settings within nginx but have not yet found any solution to the downstream SSL issue.
Apologies if I’ve got my upstream/downstream terminology backwards.
2
Answers
I have the same setup. I have iRedmail setup on a separate server and NPM as a proxy for all servers. I redirect sIMAP (post 587) and sSMTP (port 143) traffic directly from my router to the iRedMail server. All other traffic goes through NPM.
All certificates are handled by the NPM lets_encrypt facilities.
I move the specific certificate from NPM to iRedMail this way:
I have created ssh certificate based login on the NPM server by generating a ssh certificate on the IredMail server:
Copy the public part to NPM:
now the a root account on iRedMail can ssh to NPM and fecth files through a script
On NPM create a script that makes a copy of the correct lets-encrypt files from the /etc/letsencrypt/live/NPM-/ dir like
Put this in "root’s" crontab file with crontab -e since only root can access and copy all of the lets-encrypt files
on the iRedMail host modify root’s crontab so that you stop the letsencrypt cron job from running and replace the existing lets-encrypt files with
the ones that we are going to copy from the NPM host like
now you have the NPM lets-encrypt certificates on the mail (or other) server.
Sorry, I cannot comment to answer the questions from @cyberneko2020, and I’m not the original answer author. But I can clarify if someone needs it.
This is not an error – @Jens-k is disabling an existing crontab entry, a built-in certificate renewal of iRedmail. So it’s not really the point what was truncated by terminal. The line starting with
certbotshould be commented as we are replacing this mechanism with our custom certificate copy process.Correct, @Jens-k is not logging in as root via SSH to nginxpm server. They have created a separate user account
<privuser>on nginxpm server for this. It’s a good approach from security perspective.You’ll also need to put the code that copies certificates from nginxpm to that
<privuser>user directory into a script on nginxpm server, let’s say/root/copycerts.shThen make the script file executable for root and inaccessible for others
And, finally, add an entry to root’s crontab on nginxpm server