ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
58a2c8077d792b0ab446c5d13d9df26cacbf2175
dezky/infrastructure/production/fleet/cert-manager/mail-certificate.yaml
T
Ronni Baslund e77a963390
ci / changes (push) Successful in 3s
Details
ci / tc_portal (push) Has been skipped
Details
ci / tc_booking (push) Has been skipped
Details
ci / tc_operator (push) Has been skipped
Details
ci / tc_platform_api (push) Has been skipped
Details
ci / tc_website (push) Has been skipped
Details
ci / build_portal (push) Has been skipped
Details
ci / test_platform_api (push) Has been skipped
Details
ci / build_booking (push) Has been skipped
Details
ci / build_operator (push) Has been skipped
Details
ci / build_platform_api (push) Has been skipped
Details
ci / deploy (push) Has been skipped
Details
feat(infra): real TLS for mail.dezky.eu 
The cert-sync timer waited forever for a mail/mail-tls secret no
Certificate resource ever requested — Stalwart served self-signed certs
since install, so mail clients refused the IMAP handshake ('cannot verify
account name or password' in Apple Mail). Adds the cert-manager
Certificate (HTTP-01 via Traefik on :80) and documents the v0.16 wrinkle:
TLS files aren't read from config anymore; a one-time file-backed
x:Certificate object (created via management JMAP) points at the synced
paths, after which cert-sync renewals keep working unchanged. Verified:
:993 now serves the Let's Encrypt cert, verify rc=0.
2026-06-10 21:58:35 +02:00

30 lines
985 B
YAML
Raw Blame History

# TLS for mail.dezky.eu — issued in-cluster by cert-manager, consumed on the
# HOST by Stalwart: stalwart-cert-sync.timer (host/stalwart/cert-sync.sh)
# copies the mail/mail-tls secret to /opt/stalwart/etc/tls every 12h and
# reloads Stalwart when it changes. Until this Certificate is Ready, Stalwart
# serves the self-signed bootstrap cert and mail clients refuse the TLS
# handshake ("cannot verify account name or password" in Apple Mail).
#
# HTTP-01 works because Traefik owns :80 on the node and cert-manager's
# solver ingress answers /.well-known/acme-challenge for any Host.
#
# Apply by hand with the rest of the cert-manager layer (see RUNBOOK):
# kubectl apply -f mail-certificate.yaml
apiVersion: v1
kind: Namespace
metadata:
name: mail
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mail-dezky-eu
namespace: mail
spec:
secretName: mail-tls
dnsNames:
- mail.dezky.eu
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
Reference in New Issue View Git Blame Copy Permalink