From 6c18f69cf24db8b537e7266aaa4dba2bf4e73109 Mon Sep 17 00:00:00 2001 From: Andrew Stoltz Date: Mon, 1 Jun 2026 15:55:38 -0500 Subject: [PATCH] mail: remove cert-manager Certificate (manage mail-tls via step-ca JWK + noc1 renew timer) step-ca-acme only has an HTTP-01 (Traefik) solver, but mail.iamworkin.lan must resolve to the dedicated MetalLB IP 10.0.56.202 (SMTP/IMAP), so HTTP-01 cannot validate (order stuck pending since 2026-05-06; cert expired 2026-05-24). mail-tls is now issued from step-ca's JWK 'admin' provisioner and auto-renewed by a systemd timer on noc1 that writes the mail-tls secret directly. The secret + Deployment mount + webmail IngressRoute are unchanged. Re-add a Certificate only if a DNS-01 solver is deployed for step-ca-acme. Co-Authored-By: Claude Opus 4.8 --- apps/mail/mail.yaml | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/apps/mail/mail.yaml b/apps/mail/mail.yaml index 150f625..b02f31c 100644 --- a/apps/mail/mail.yaml +++ b/apps/mail/mail.yaml @@ -207,20 +207,13 @@ spec: - port: 993 targetPort: 993 name: imaps ---- -# TLS Certificate via cert-manager -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: mail-tls - namespace: mail -spec: - secretName: mail-tls - issuerRef: - name: step-ca-acme - kind: ClusterIssuer - dnsNames: - - mail.iamworkin.lan +# --- mail-tls Certificate REMOVED 2026-06-01 --- +# mail-tls is now managed OUTSIDE cert-manager: issued from step-ca's JWK 'admin' +# provisioner and auto-renewed by a systemd timer on noc1 (step ca renew), which +# writes the mail-tls secret directly. step-ca-acme only has an HTTP-01 (Traefik) +# solver, but mail.iamworkin.lan must resolve to the dedicated MetalLB IP 10.0.56.202 +# (SMTP/IMAP), so HTTP-01 cannot validate. Do NOT re-add a cert-manager Certificate +# here unless a DNS-01 solver is deployed for step-ca-acme. --- # Traefik IngressRoute - Webmail placeholder apiVersion: traefik.io/v1alpha1