#1900 - [GH-ISSUE #3771] webmail gives a blank page - Debian 13 and self signed certs - starred/modoboa-modoboa

kerem commented

2026-02-27 11:19:47 +03:00

Owner

Originally created by @Zewwy on GitHub (Oct 26, 2025).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/3771

Impacted versions
OS Type: Debian
OS Version: 13
Database Type: PostgreSQL
Database version: 17.6 (Debian 17.6-0+deb13u1)
Modoboa: 2.6.1
installer used: Yes
Webserver: nginx/1.26.3 uwsgi/2.0.28-debian
Steps to reproduce
Install Debian 13
apt install git python3-venv python3-pip
clone installer
run installer
create domain + user account in admin portal
try to make use of integrated webmail interface

radicale/calendar is working

Current behavior
Try to use webmail gives a blank page
Web Dev tools shows hang on
Request URL
https://mail.domain.local/api/v2/webmail/mailboxes/
Request Method
GET
Status Code
504 Gateway Timeout
Remote Address
REDACTED:443
Referrer Policy
strict-origin-when-cross-origin

opening in path in new tab shows:
Django REST framework
User Mailbox List

similar to this issue: https://github.com/modoboa/modoboa/issues/3583

User Mailbox List
GET /api/v2/webmail/mailboxes/
HTTP 401 Unauthorized
Allow: GET, POST, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
WWW-Authenticate: Bearer realm="api"

{
"detail": "Authentication credentials were not provided."
}

Expected behavior
Seeing a Webmail interface instead a blank page

Originally created by @Zewwy on GitHub (Oct 26, 2025). Original GitHub issue: https://github.com/modoboa/modoboa/issues/3771 Impacted versions OS Type: Debian OS Version: 13 Database Type: PostgreSQL Database version: 17.6 (Debian 17.6-0+deb13u1) Modoboa: 2.6.1 installer used: Yes Webserver: nginx/1.26.3 uwsgi/2.0.28-debian Steps to reproduce Install Debian 13 apt install git python3-venv python3-pip clone installer run installer create domain + user account in admin portal try to make use of integrated webmail interface radicale/calendar is working Current behavior Try to use webmail gives a blank page Web Dev tools shows hang on Request URL https://mail.domain.local/api/v2/webmail/mailboxes/ Request Method GET Status Code 504 Gateway Timeout Remote Address REDACTED:443 Referrer Policy strict-origin-when-cross-origin opening in path in new tab shows: Django REST framework User Mailbox List similar to this issue: https://github.com/modoboa/modoboa/issues/3583 User Mailbox List GET /api/v2/webmail/mailboxes/ HTTP 401 Unauthorized Allow: GET, POST, DELETE, HEAD, OPTIONS Content-Type: application/json Vary: Accept WWW-Authenticate: Bearer realm="api" { "detail": "Authentication credentials were not provided." } Expected behavior Seeing a Webmail interface instead a blank page

kerem added the

enhancement

documentation

feedback-needed

labels

2026-02-27 11:19:47 +03:00

kerem commented

2026-02-27 11:19:47 +03:00

Author

Owner

@tonioo commented on GitHub (Oct 28, 2025):

@Zewwy what kind of certificate do you use?

@tonioo commented on GitHub (Oct 28, 2025): @Zewwy what kind of certificate do you use?

kerem commented

2026-02-27 11:19:47 +03:00

Author

Owner

@Zewwy commented on GitHub (Oct 28, 2025):

self signed

@Zewwy commented on GitHub (Oct 28, 2025): self signed

kerem commented

2026-02-27 11:19:48 +03:00

Author

Owner

@FutureCow commented on GitHub (Oct 28, 2025):

After a modoboa --upgrade my webmail also gives a blank page.

Got this error from dovecot: Mail dovecot[811]: auth(user@example.com,127.0.0.1,sasl:oauthbearer)<c9WejztCtMR/AAAB>: Error: oauthbearer: oauth2 failed: Introspection failed: No username returned

I use a Let Encrypt certificate

@FutureCow commented on GitHub (Oct 28, 2025): After a modoboa --upgrade my webmail also gives a blank page. Got this error from dovecot: Mail dovecot[811]: auth(user@example.com,127.0.0.1,sasl:oauthbearer)<c9WejztCtMR/AAAB>: Error: oauthbearer: oauth2 failed: Introspection failed: No username returned I use a Let Encrypt certificate

kerem commented

2026-02-27 11:19:48 +03:00

Author

Owner

@Spitfireap commented on GitHub (Oct 31, 2025):

self signed

I'm able to reproduce the issue.
One main problem can arise :
auth(test@test.local,127.0.0.1,sasl:oauthbearer)<+qv84npCRqR/AAAB>: Error: oauthbearer: oauth2 failed: Introspection failed: SSL handshaking with 127.0.0.1:443 failed: read(SSL (conn:127.0.0.1:443,id=1)) failed: Received invalid SSL certificate: self-signed certificate: /CN=mail.test.local (check ssl_client_ca_* settings?)

--> For this we need to create a CA and generate a cert with it.

A secondary problem can arise before the first one, although dependent on user configuration of the host :
auth(test@test.local,127.0.0.1,sasl:oauthbearer)<bMsoz3pCos5/AAAB>: Error: oauthbearer: oauth2 failed: Introspection failed: Failed to lookup host mail.test.local: Name or service not known

--> Perhaps the installer should hardcode the hostname to 127.0.0.1 in host ?

In either case, it ends in a timeout on the dovecot and nginx side :
imap-login: Login aborted: Inactivity during authentication (client didn't finish SASL auth, 1 attempts in 180 secs) (auth_waiting_client): user=<>, method=OAUTHBEARER, rip=127.0.0.1, lip=127.0.0.1, secured, session=<bMsoz3pCos5/AAAB>
--> Perhaps we get the issue instead of waiting for a 504...

@Spitfireap commented on GitHub (Oct 31, 2025): > self signed I'm able to reproduce the issue. One main problem can arise : `auth(test@test.local,127.0.0.1,sasl:oauthbearer)<+qv84npCRqR/AAAB>: Error: oauthbearer: oauth2 failed: Introspection failed: SSL handshaking with 127.0.0.1:443 failed: read(SSL (conn:127.0.0.1:443,id=1)) failed: Received invalid SSL certificate: self-signed certificate: /CN=mail.test.local (check ssl_client_ca_* settings?)` --> For this we need to create a CA and generate a cert with it. A secondary problem can arise before the first one, although dependent on user configuration of the host : `auth(test@test.local,127.0.0.1,sasl:oauthbearer)<bMsoz3pCos5/AAAB>: Error: oauthbearer: oauth2 failed: Introspection failed: Failed to lookup host mail.test.local: Name or service not known` --> Perhaps the installer should hardcode the `hostname` to 127.0.0.1 in host ? In either case, it ends in a timeout on the dovecot and nginx side : `imap-login: Login aborted: Inactivity during authentication (client didn't finish SASL auth, 1 attempts in 180 secs) (auth_waiting_client): user=<>, method=OAUTHBEARER, rip=127.0.0.1, lip=127.0.0.1, secured, session=<bMsoz3pCos5/AAAB> ` --> Perhaps we get the issue instead of waiting for a 504...

kerem commented

2026-02-27 11:19:48 +03:00

Author

Owner

@Spitfireap commented on GitHub (Oct 31, 2025):

After a modoboa --upgrade my webmail also gives a blank page.

Got this error from dovecot: Mail dovecot[811]: auth(user@example.com,127.0.0.1,sasl:oauthbearer)<c9WejztCtMR/AAAB>: Error: oauthbearer: oauth2 failed: Introspection failed: No username returned

I use a Let Encrypt certificate

This seems to be another issue, if you can open a dedicated one please

@Spitfireap commented on GitHub (Oct 31, 2025): > After a modoboa --upgrade my webmail also gives a blank page. > > Got this error from dovecot: Mail dovecot[811]: auth([user@example.com](mailto:user@example.com),127.0.0.1,sasl:oauthbearer)<c9WejztCtMR/AAAB>: Error: oauthbearer: oauth2 failed: Introspection failed: No username returned > > I use a Let Encrypt certificate > After a modoboa --upgrade my webmail also gives a blank page. > > Got this error from dovecot: Mail dovecot[811]: auth([user@example.com](mailto:user@example.com),127.0.0.1,sasl:oauthbearer)<c9WejztCtMR/AAAB>: Error: oauthbearer: oauth2 failed: Introspection failed: No username returned > > I use a Let Encrypt certificate This seems to be another issue, if you can open a dedicated one please

kerem commented

2026-02-27 11:19:48 +03:00

Author

Owner

@abcnorio commented on GitHub (Dec 10, 2025):

--> For this we need to create a CA and generate a cert with it.

Does this mean one cannot run modoboa with self-signed cert? I want to use it locally at home as a backup archive imap with postfix sender dependent relays (which basically works fine), access via imap client works, but not the webfrontend with the error already noted above:

auth(test@test.local,127.0.0.1,sasl:oauthbearer)<+qv84npCRqR/AAAB>: Error: oauthbearer: oauth2 failed: Introspection failed: SSL handshaking with 127.0.0.1:443 failed: read(SSL (conn:127.0.0.1:443,id=1)) failed: Received invalid SSL certificate: self-signed certificate: /CN=mail.test.local (check ssl_client_ca_* settings?)

Install is a fresh install via Debian 13.

At home naturally a let's encrypt cert does not work or makes sense, but modoboa is not accessible from the outside here. So can I create my own CA + cert and it has to be added to nginx, postfix, dovecot? Or is anything else to consider? As noted too everything from the frontend works except webmail. No information to add, all relevant infos are already noted here in the thread.

Thanks!

@abcnorio commented on GitHub (Dec 10, 2025): > --> For this we need to create a CA and generate a cert with it. Does this mean one cannot run modoboa with self-signed cert? I want to use it locally at home as a backup archive imap with postfix sender dependent relays (which basically works fine), access via imap client works, but not the webfrontend with the error already noted above: `auth(test@test.local,127.0.0.1,sasl:oauthbearer)<+qv84npCRqR/AAAB>: Error: oauthbearer: oauth2 failed: Introspection failed: SSL handshaking with 127.0.0.1:443 failed: read(SSL (conn:127.0.0.1:443,id=1)) failed: Received invalid SSL certificate: self-signed certificate: /CN=mail.test.local (check ssl_client_ca_* settings?)` Install is a fresh install via Debian 13. At home naturally a let's encrypt cert does not work or makes sense, but modoboa is not accessible from the outside here. So can I create my own CA + cert and it has to be added to nginx, postfix, dovecot? Or is anything else to consider? As noted too everything from the frontend works except *webmail*. No information to add, all relevant infos are already noted here in the thread. Thanks!

kerem commented

2026-02-27 11:19:48 +03:00

Author

Owner

@abcnorio commented on GitHub (Dec 23, 2025):

The issue can be solved easily, no CA auth chain is required. It is sufficient to add

# https://doc.dovecot.org/2.4.0/core/config/ssl.html#client-connections
ssl_client_ca_file = /etc/ssl/certs/nginx-self-signed-ssl-cert.pem

to the ssl config of dovecot and restart dovecot. Assumed is dovecot and nginx/ mail webfrontend run on the same server. Important is to understand that at that point dovecot acts as a client and not as a server.

@abcnorio commented on GitHub (Dec 23, 2025): The issue can be solved easily, no CA auth chain is required. It is sufficient to add ``` # https://doc.dovecot.org/2.4.0/core/config/ssl.html#client-connections ssl_client_ca_file = /etc/ssl/certs/nginx-self-signed-ssl-cert.pem ``` to the ssl config of dovecot and restart dovecot. Assumed is dovecot and nginx/ mail webfrontend run on the same server. Important is to understand that at that point dovecot acts as a client and not as a server.

kerem commented

2026-02-27 11:19:48 +03:00

Author

Owner

@Zewwy commented on GitHub (Feb 8, 2026):

The issue can be solved easily, no CA auth chain is required. It is sufficient to add
# https://doc.dovecot.org/2.4.0/core/config/ssl.html#client-connections
ssl_client_ca_file = /etc/ssl/certs/nginx-self-signed-ssl-cert.pem
to the ssl config of dovecot and restart dovecot. Assumed is dovecot and nginx/ mail webfrontend run on the same server. Important is to understand that at that point dovecot acts as a client and not as a server.

I'd need more context.. I tried what you suggested, I added ssl_client_ca_file = /etc/ssl/certs/mail.zewwy.ca.cert (after looking at what nginx was using), then restarted the dovecot service, but the webmail still loads blank for me... any chance you could provide a bit more clarity to this answer? I don't know what I missed...
After tinkering around some more, I was noticing the the Front end errors were all gone (dev tools in web browser where all showing 200), so, I'm assuming that the solution here did work as intended, I for some reason still felt it was a dovecot issue, since everything front end is fine, it probably is a likely silent fail on the backend. I used "journalctl -u dovecot -f" and it was nice enough to tell me that the domain it was installed under mail.mail.zewwy.ca was not found "aka a DNS issue", remembering that I myself ignored the warning at the beginning of the install script... I'll admit that was my bad, adding the required entry in the servers hosts file (since I was too lazy to point it to my actual internet DNS for the time being), sure enough the webmail finally loaded.

Long story short, the main issue seems to be what @abcnorio said, which will cause a blank page with issue visible in the web browser dev tools, if you get a blank page and no errors in the front end dev tools, it's likley a backend issue (in my case bad DNS server pointer, and no proper host record) can apparently also cause this issue. Thanks @abcnorio for the work around.

@Zewwy commented on GitHub (Feb 8, 2026): > The issue can be solved easily, no CA auth chain is required. It is sufficient to add > > ``` > # https://doc.dovecot.org/2.4.0/core/config/ssl.html#client-connections > ssl_client_ca_file = /etc/ssl/certs/nginx-self-signed-ssl-cert.pem > ``` > > to the ssl config of dovecot and restart dovecot. Assumed is dovecot and nginx/ mail webfrontend run on the same server. Important is to understand that at that point dovecot acts as a client and not as a server. I'd need more context.. I tried what you suggested, I added ssl_client_ca_file = /etc/ssl/certs/mail.zewwy.ca.cert (after looking at what nginx was using), then restarted the dovecot service, but the webmail still loads blank for me... any chance you could provide a bit more clarity to this answer? I don't know what I missed... After tinkering around some more, I was noticing the the Front end errors were all gone (dev tools in web browser where all showing 200), so, I'm assuming that the solution here did work as intended, I for some reason still felt it was a dovecot issue, since everything front end is fine, it probably is a likely silent fail on the backend. I used "journalctl -u dovecot -f" and it was nice enough to tell me that the domain it was installed under mail.mail.zewwy.ca was not found "aka a DNS issue", remembering that I myself ignored the warning at the beginning of the install script... I'll admit that was my bad, adding the required entry in the servers hosts file (since I was too lazy to point it to my actual internet DNS for the time being), sure enough the webmail finally loaded. Long story short, the main issue seems to be what @abcnorio said, which will cause a blank page with issue visible in the web browser dev tools, if you get a blank page and no errors in the front end dev tools, it's likley a backend issue (in my case bad DNS server pointer, and no proper host record) can apparently also cause this issue. Thanks @abcnorio for the work around.

kerem commented

2026-02-27 11:19:48 +03:00

Author

Owner

@abcnorio commented on GitHub (Feb 8, 2026):

Yes - the DNS entry is important. Thus, a hostname -f is worth it to check first before anything else.

@abcnorio commented on GitHub (Feb 8, 2026): Yes - the DNS entry is important. Thus, a `hostname -f` is worth it to check first before anything else.

kerem referenced this issue

2026-02-27 12:10:30 +03:00

[PR #1900] [CLOSED] Translate '/modoboa/transport/locale/en/LC_MESSAGES/django.po' in 'it' #2331

Rows
Columns

[GH-ISSUE #3771] webmail gives a blank page - Debian 13 and self signed certs #1900