feat: support externally managed TLS via tls_external_cert_and_key option#860
Merged
feat: support externally managed TLS via tls_external_cert_and_key option#860
Conversation
hpk42
temporarily deployed
to
staging2.testrun.org
GitHub Actions
Inactive
hpk42
temporarily deployed
to
staging.chatmail.at/doc/relay/
GitHub Actions
Inactive
hpk42
temporarily deployed
to
staging-ipv4.testrun.org
GitHub Actions
Inactive
hpk42
force-pushed
the
hpk/tls-external
branch
from
70d3d07 to
8b64d97
Compare
hpk42
temporarily deployed
to
staging.chatmail.at/doc/relay/
GitHub Actions
Inactive
hpk42
temporarily deployed
to
staging2.testrun.org
GitHub Actions
Inactive
hpk42
temporarily deployed
to
staging-ipv4.testrun.org
GitHub Actions
Inactive
hpk42
force-pushed
the
hpk/tls-external
branch
from
8b64d97 to
a31ae26
Compare
hpk42
temporarily deployed
to
staging2.testrun.org
GitHub Actions
Inactive
hpk42
temporarily deployed
to
staging-ipv4.testrun.org
GitHub Actions
Inactive
hpk42
temporarily deployed
to
staging.chatmail.at/doc/relay/
GitHub Actions
Inactive
link2xt
reviewed
Feb 19, 2026
hpk42
force-pushed
the
hpk/tls-external
branch
from
a31ae26 to
2d31eb0
Compare
hpk42
temporarily deployed
to
staging.chatmail.at/doc/relay/
GitHub Actions
Inactive
hpk42
temporarily deployed
to
staging2.testrun.org
GitHub Actions
Inactive
hpk42
temporarily deployed
to
staging-ipv4.testrun.org
GitHub Actions
Inactive
hpk42
force-pushed
the
hpk/tls-external
branch
from
2d31eb0 to
edcf9bf
Compare
hpk42
temporarily deployed
to
staging.chatmail.at/doc/relay/
GitHub Actions
Inactive
hpk42
temporarily deployed
to
staging2.testrun.org
GitHub Actions
Inactive
hpk42
temporarily deployed
to
staging-ipv4.testrun.org
GitHub Actions
Inactive
hpk42
force-pushed
the
hpk/tls-external
branch
from
edcf9bf to
9258c8c
Compare
hpk42
temporarily deployed
to
staging.chatmail.at/doc/relay/
GitHub Actions
Inactive
hpk42
had a problem deploying
to
staging2.testrun.org
GitHub Actions
Error
hpk42
had a problem deploying
to
staging-ipv4.testrun.org
GitHub Actions
Error
hpk42
force-pushed
the
hpk/tls-external
branch
from
9258c8c to
e8288ea
Compare
hpk42
had a problem deploying
to
staging-ipv4.testrun.org
GitHub Actions
Error
hpk42
temporarily deployed
to
staging.chatmail.at/doc/relay/
GitHub Actions
Inactive
hpk42
had a problem deploying
to
staging2.testrun.org
GitHub Actions
Error
hpk42
force-pushed
the
hpk/tls-external
branch
from
e8288ea to
12b57c0
Compare
hpk42
temporarily deployed
to
staging.chatmail.at/doc/relay/
GitHub Actions
Inactive
hpk42
temporarily deployed
to
staging2.testrun.org
GitHub Actions
Inactive
hpk42
force-pushed
the
hpk/tls-external
branch
from
9cfc6bc to
48b738e
Compare
hpk42
temporarily deployed
to
staging.chatmail.at/doc/relay/
GitHub Actions
Inactive
hpk42
temporarily deployed
to
staging2.testrun.org
GitHub Actions
Inactive
hpk42
temporarily deployed
to
staging-ipv4.testrun.org
GitHub Actions
Inactive
hpk42
had a problem deploying
to
staging-ipv4.testrun.org
GitHub Actions
Failure
hpk42
had a problem deploying
to
staging2.testrun.org
GitHub Actions
Failure
hpk42
force-pushed
the
hpk/tls-external
branch
from
48b738e to
9a67be9
Compare
hpk42
temporarily deployed
to
staging.chatmail.at/doc/relay/
GitHub Actions
Inactive
hpk42
temporarily deployed
to
staging2.testrun.org
GitHub Actions
Inactive
hpk42
temporarily deployed
to
staging-ipv4.testrun.org
GitHub Actions
Inactive
hpk42
had a problem deploying
to
staging-ipv4.testrun.org
GitHub Actions
Failure
hpk42
temporarily deployed
to
staging2.testrun.org
GitHub Actions
Inactive
hpk42
force-pushed
the
hpk/tls-external
branch
from
9a67be9 to
890fb3f
Compare
link2xt
reviewed
Feb 22, 2026
| ) | ||
|
|
||
|
|
||
| def get_tls_deployer(config, mail_domain): |
Contributor
There was a problem hiding this comment.
High-level problem with this is that if you have a server with acmetool and want to reconfigure with external certificate, acmetool does not get uninstalled.
I think what we need is not selecting one deployer, but run all deployers with some option like enabled=... that tells the deployer if it should deploy or un-deploy acme or tls-cert-reload services.
Contributor
Author
There was a problem hiding this comment.
this is addressed in the separate #869 (the first commit, the second does some follow up refactoring)
all other review comments were fixed in the branch here.
hpk42
commented
Feb 23, 2026
| domain: staging-ipv4.testrun.org | ||
| secrets: | ||
| STAGING_SSH_KEY: ${{ secrets.STAGING_SSH_KEY }} | ||
|
|
Contributor
Author
There was a problem hiding this comment.
didn't want to further debug the workflow. Thorough TLS-mode testing is better done whne we have a more flexible provisioning of VPS and DNS for PRs.
hpk42
commented
Feb 23, 2026
Comment on lines
369
to
+389
| @@ -381,10 +381,12 @@ def iter_output(self, logcmd=""): | |||
| while 1: | |||
| line = self.popen.stdout.readline() | |||
| res = line.decode().strip().lower() | |||
| if res: | |||
| yield res | |||
| else: | |||
| if not res: | |||
| break | |||
| if ready is not None: | |||
| ready() | |||
| ready = None | |||
| yield res | |||
Contributor
Author
There was a problem hiding this comment.
this is a test fix on the side for a flaky test, took me a while to figure out. There are concurrency issues with getting log lines and triggering the send message. I think this is now reliable.
hpk42
commented
Feb 23, 2026
| server via SCP, runs ``cmdeploy run``, and then probes all TLS-enabled | ||
| ports (nginx, postfix, dovecot) to verify the certificate is actually | ||
| served. After probing, checks remote service logs for errors. | ||
|
|
Contributor
Author
There was a problem hiding this comment.
this test is only manually run, and partially machine generated.
j4n
requested changes
Feb 23, 2026
Contributor
j4n
left a comment
j4n
left a comment
There was a problem hiding this comment.
Testing some more, it looks good, though there is one problem: the oneshot trigger reload fails on fresh deploys as services are not running yet.
| ) | ||
| # Trigger the oneshot service so services pick up the current cert. | ||
| # The path unit handles future changes via inotify. | ||
| systemd.service( |
Contributor
There was a problem hiding this comment.
On a fresh deploy (or Docker container start), those services aren't running yet, so the reload fails. We can probably just remove this as dovecot/nginx read the cert on startup, and the .path watcher handles live cert changes via inotify.
Contributor
|
One caveat turned up: inotify doesn't cross bind-mount boundaries and if certificates are modified outside of the container, the reload must be triggered explicitly. |
j4n
approved these changes
Feb 23, 2026
Contributor
j4n
left a comment
j4n
left a comment
There was a problem hiding this comment.
since its a simple remove of the system reload section, I guess I should still approve.
Contributor
Author
…tion Adds a new tls_external_cert_and_key config option for chatmail servers that manage their own TLS certificates (e.g. via an external ACME client or a load balancer). A systemd path unit (tls-cert-reload.path) watches the certificate file via inotify and automatically reloads dovecot and nginx when it changes. Postfix reads certs per TLS handshake so needs no reload. Also extracts openssl_selfsigned_args() so cert generation parameters are shared between SelfSignedTlsDeployer and the e2e test.
…ded if we can run it from work flows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add tls_external_cert_and_key config option for chatmail servers that manage their own TLS certificates outside of ACME. When set, the deployer verifies the cert and key files exist on the server and installs a systemd path unit that watches the certificate via inotify — when it changes, dovecot and nginx are automatically reloaded (postfix reads certs per handshake so needs no reload). Includes unit tests, an e2e test script, docs, and a CI workflow.
this is based on the prior work of self-signed TLS certs in #855
PR replaces and closes #662