recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

journal(2): mailu Q4.9 deeper recon — certdumper/ACME TLS friction; start with TLS_FLAVOR=notls

Browse Source 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-29 20:57:39 +01:00
parent 594f2d3389
commit 3ab04cd07a
1 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
machine-docs/JOURNAL-2.md
View File

@ -1078,3 +1078,22 @@ Hold the deploy until the Adversary's mumble cold-verify frees the single node.
- recipe_meta: DEPLOY_TIMEOUT generous (multi-service); confirm version tags for the upgrade tier.
- Build next iteration (fresh context): scaffold tests/mailu/, smoke deploy install,custom to find
the exact `flask mailu` invocation + health path + mail-port reachability, then add §4.3 tests.
## 2026-05-29 — mailu (Q4.9) deeper recon: TLS/certdumper friction noted
- Services: `app`=ghcr.io/mailu/nginx (the front/web+mail proxy), `db`=redis:8.0.3-alpine (redis, NOT
a SQL DB — mailu admin uses sqlite at /data inside the admin container), `admin`=ghcr.io/mailu/admin
(mgmt API + `flask mailu` CLI), imap(dovecot), smtp(postfix), antispam(rspamd), webmail, **certdumper**
(ldez/traefik-certs-dumper). All images PULLABLE (ghcr.io/mailu/* + redis + ldez). NO backupbot → P4 N/A.
- **FRICTION (cc-ci-specific): certdumper expects traefik's ACME acme.json** (it dumps certs from
traefik_letsencrypt volume for the mail ports' TLS). cc-ci uses a FILE-PROVIDER wildcard cert, NOT
ACME (Class-A1, ACME forbidden) → no acme.json → certdumper likely never converges → services_converged
False → install "fails". MITIGATION to try: set TLS_FLAVOR (mailu env) to `notls` (disables mail TLS,
no cert needed) or `mail-letsencrypt`→ avoid; OR drop certdumper from COMPOSE_FILE if the recipe allows;
OR provide the cc-ci wildcard cert files to mailu's expected path. Smoke deploy will reveal whether
certdumper blocks convergence; START with TLS_FLAVOR=notls in EXTRA_ENV. The web/admin HTTP path
(traefik file-provider wildcard) works regardless; functional create-mailbox is via the admin CLI
(no mail-TLS needed). SMTP/IMAP send-receive distinctive test may need TLS_FLAVOR handled.
- Versions: 1.1.0/1.1.1/2.0.0/3.0.0/3.0.1; prev=3.0.0+2024.06.27 → head 3.0.1+2024.06.37 (real upgrade).
- Build approach: EXTRA_ENV callable(domain)→{MAIL_DOMAIN:domain, HOSTNAMES:domain, TRAEFIK_STACK_NAME:
"traefik_ci_commoninternet_net", SITENAME:"ccci", POSTMASTER:"admin", TLS_FLAVOR:"notls"}. Smoke
install,custom first to confirm convergence (esp. certdumper) + find `flask mailu` syntax + health path.