Bug Report

Context

I am using traefik v2 as a proxy for all my applications running on my server and it handles automatic renewal of my certificate. The idea here was to mount that certificate into the docker-mailserver container and us it here too. I followed all the steps in the documentation, except for the fact that the two of them are not in the same network (traefik is not supposed to route to the mailserver anyways). The certificate is a wildcard certificate.

Behavior

Actual Behavior

The mailserver fails to load the certificates with the following warning:

warning: error loading private keys and certificates from: /etc/letsencrypt/live/syncup.de/key.pem /etc/letsencrypt/live/syncup.de/fullchain.pem: disabling TLS support

Expected Behavior

TSL should work without any errors.

Your Environment

available RAM: 8GB Docker version 19.03.6-rc1, build 77739a9875 docker-compose version 1.28.6, build 5db8d86f

docker-compose.yml

version: '3.8'

services:
  mailserver:
    image: docker.io/mailserver/docker-mailserver:latest
    hostname: ${HOSTNAME}
    domainname: ${DOMAINNAME}
    container_name: ${CONTAINER_NAME}
    env_file: mailserver.env
    ports:
      - "25:25"
      - "143:143"
      - "465:465"
      - "587:587"
      - "993:993"
    volumes:
      - maildata:/var/mail
      - mailstate:/var/mail-state
      - maillogs:/var/log/mail
      - /etc/localtime:/etc/localtime:ro
      - ./config/:/tmp/docker-mailserver/${SELINUX_LABEL}
      - /home/traefik/acme.json:/etc/letsencrypt/acme.json:ro
    environment:
      SSL_TYPE: letsencrypt
      SSL_DOMAIN: "*.syncup.de"
    restart: always
    stop_grace_period: 1m
    cap_add: [ "NET_ADMIN", "SYS_PTRACE" ]

volumes:
  maildata:
  mailstate:
  maillogs:

Environment Variables

OVERRIDE_HOSTNAME=syncup.de
DMS_DEBUG=0
SUPERVISOR_LOGLEVEL=debug
ONE_DIR=0
SPOOF_PROTECTION=1
ENABLE_SRS=0
ENABLE_CLAMAV=0
ENABLE_AMAVIS=1
ENABLE_FAIL2BAN=0
POSTSCREEN_ACTION=enforce
SSL_TYPE=letsencrypt
REPORT_RECIPIENT=0
REPORT_INTERVAL=daily
POSTFIX_INET_PROTOCOLS=all
ENABLE_SPAMASSASSIN=0
SPAMASSASSIN_SPAM_TO_INBOX=1
MOVE_SPAM_TO_JUNK=1
SA_TAG=2.0
SA_TAG2=6.31
SA_KILL=6.31
SA_SPAM_SUBJECT=***SPAM*****
ENABLE_FETCHMAIL=0
FETCHMAIL_POLL=300
DOVECOT_MAILBOX_FORMAT=maildir
ENABLE_POSTGREY=0
POSTGREY_DELAY=300
POSTGREY_MAX_AGE=35
POSTGREY_TEXT=Delayed by Postgrey
POSTGREY_AUTO_WHITELIST_CLIENTS=5
ENABLE_SASLAUTHD=0
SRS_SENDER_CLASSES=envelope_sender
RELAY_PORT=25
SSL_DOMAIN=*.syncup.de
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Certificate validation:

Validation with docker exec mail openssl s_client
-connect 0.0.0.0:143
-starttls imap
-CApath /etc/ssl/certs/

Can't use SSL_get_servername
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.syncup.de
verify return:1
. OK Pre-login capabilities listed, post-login capabilities have more.
DONE
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = *.syncup.de
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
 2 s:CN = *.syncup.de
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 3 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
subject=CN = *.syncup.de

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6658 bytes and written 389 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---