Mailcow-dockerized: acme-mailcow cannot get SSL

I don't know the reasons, but it works with following steps. coz ipv6?

1. delete all containers and volumes, delete mailcow-dockerized folder.
2. turn off ipv6 on server.
3. hard reboot server.

after do these, re-install mailcow-dockerized and it can get SSL certification successfully.

The solution for me was to delete the existing private keys :
rm data/assets/ssl/acme/private/*

Then :
docker-compose up -d

I have this problem, too. Deleting the private keys doesn't solve the issue. Switching IPv6 off isn't an option.

acme-mailcow_1       | Verified hashes.
acme-mailcow_1       | No A record for autoconfig.oechermail.de found
acme-mailcow_1       | Found A record for autodiscover.oechermail.de: <<my_public_ip>>
acme-mailcow_1       | Confirmed A record autodiscover.oechermail.de
acme-mailcow_1       | Found A record for vm005.<<my_domain_name>>: <<my_public_ip>>
acme-mailcow_1       | Confirmed A record vm005.<<my_domain_name>>
acme-mailcow_1       | Found A record for vm005.<<my_domain_name>>: <<my_public_ip>>
acme-mailcow_1       | Confirmed A record vm005.<<my_domain_name>>
acme-mailcow_1       | acme-client: /var/lib/acme/acme/private/account.key: account key exists (not creating)
acme-mailcow_1       | acme-client: /var/lib/acme/acme/private/privkey.pem: domain key exists (not creating)
acme-mailcow_1       | acme-client: adding SAN: vm005.<<my_domain_name>>
acme-mailcow_1       | acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-mailcow_1       | acme-client: acme-v01.api.letsencrypt.org: DNS: 23.77.231.123
acme-mailcow_1       | acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:ce:19a::3d5
acme-mailcow_1       | acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:ce:194::3d5
acme-mailcow_1       | acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: autodiscover.oechermail.de
acme-mailcow_1       | acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: vm005.<<my_domain_name>>
acme-mailcow_1       | acme-client: /var/www/acme/qhSNDqfXTdxElwx5TrV8PmaUQbvCyFg1SyUQyDRX8AE: created
acme-mailcow_1       | acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/3MFST3vmF3WpyOTTLjJqY4nORtCj12ajeZtafDYUOhg/1968210973: challenge
acme-mailcow_1       | acme-client: /var/www/acme/vGiVKq0qJ9Llp7_1jl6uKTdkGDO7vp799hps3s6SGeA: created
acme-mailcow_1       | acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/70snqSp4fdQuZ2JNKz6M43SVVDaSL_70-Gc_4tMsDRY/1968211052: challenge
acme-mailcow_1       | acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/3MFST3vmF3WpyOTTLjJqY4nORtCj12ajeZtafDYUOhg/1968210973: status
acme-mailcow_1       | acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/3MFST3vmF3WpyOTTLjJqY4nORtCj12ajeZtafDYUOhg/1968210973: bad response
acme-mailcow_1       | acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "Fetching http://autodiscover.oechermail.de/.well-known/acme-challenge/qhSNDqfXTdxElwx5TrV8PmaUQbvCyFg1SyUQyDRX8AE: Timeout", "status": 400 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/3MFST3vmF3WpyOTTLjJqY4nORtCj12ajeZtafDYUOhg/1968210973", "token": "qhSNDqfXTdxElwx5TrV8PmaUQbvCyFg1SyUQyDRX8AE", "keyAuthorization": "qhSNDqfXTdxElwx5TrV8PmaUQbvCyFg1SyUQyDRX8AE.mYodNjmH3QiQjnkfC-1ssN43hO9DT-3ZAPX0BL1Q6Mg", "validationRecord": [ { "url": "http://autodiscover.oechermail.de/.well-known/acme-challenge/qhSNDqfXTdxElwx5TrV8PmaUQbvCyFg1SyUQyDRX8AE", "hostname": "autodiscover.oechermail.de", "port": "80", "addressesResolved": [ "<<my_public_ip>>", "<<my_public_v6>>" ], "addressUsed": "<<my_public_v6>>", "addressesTried": [] } ] }] (967 bytes)
acme-mailcow_1       | acme-client: bad exit: netproc(57): 1
acme-mailcow_1       | Verified hashes.
mailcowdockerized_acme-mailcow_1 exited with code 1

It looks like my problem is different. The challenge file just isn't there. The folder "acme-challenge" is just empty. Any help would be appreciated.

same here, ive tried this with a clean docker and mailcow with no reverse proxies. the challenge folder stays emtpy and i get this every time

acme-client: bad exit: netproc(##): 1

looking at the logs, it reports all challenges being created but theres no sign of them. ipv6 on/off makes no difference.

ive tried to install this out of the box and it always fails. I can easily make lets encrypt certs using alternative methods on the same docker system so i know the dns situation is ok.

help please : ( i really want to move away from axigen but this is giving me a headache!

In my case most of the times there were connectivity issues with either IPv6 or sometimes portfilter / iptables issues. If you get timeout messages the probability is quite high you have the same reasons.
Check central or personal firewalls. Test via remote hosts (nmap) without going through VPN tunnels that may bypass those filters...

heres my procedure and some notes:

preflight checklist:

1. make sure all internal and external DNS records are up and running and resolve normally.
2. in PFSENSE, ensure all ipv6 activity is disable
3. All relevant firewall ipv4 ports point to the docker host
4. ipv6 disabled in NIC config
5. docker config and networks are ipv6 disabled
6. launch clean Mailcow with ipv6 disabled in the docker compose file.
7. access admin panel & acme starts up and test domain and ip (validated)
8. monitor acme directory (never anything in it)

tests:

1. create and test webservers with my domain and hostname via reverse proxy and lets encrypt. (passed)
2. open and redirect all ports in pfsense to the docker host. (test 1 success, mailcow fail)
3. build on a VM repeat all steps and tests (same behaviour)
4. repeat checklist both with and without reverse proxy. (same errors from acme)
5. port scanned firewall reveals healthy

outcome:

1. acme-client: bad exit: netproc(##): 1
2. never anything in the challenges directory.

mat

The most important part is missing: logs. :-)

You disabled all IPv6 stuff, did you delete AAAA records, too?

the firewall is strictly ipv4. I have disabled ipv6 in the mailcow-unbound conf. there are no AAAA records anywhere to delete. Ive flushed and removed dns everywhere. : (

I just tried it again this morning... the last lines from the acme client are as follows:

acme-client: acme-v01.api.letsencrypt.org: DNS: 104.82.226.125
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:13b:38b::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:13b:3a3::3d5
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: mail.####.co.uk

acme-client: /var/www/acme/lBAZSxp0PK-qJtxwmLMcwZIgsz7666GeOKiQEXZJEEw: created

acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/Fv6ghEBNlH1AziCYZ2pbqSM3RQvmKKT7lnEslj-9NIg/2352218537: challenge

acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/Fv6ghEBNlH1AziCYZ2pbqSM3RQvmKKT7lnEslj-9NIg/2352218537: status

acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/Fv6ghEBNlH1AziCYZ2pbqSM3RQvmKKT7lnEslj-9NIg/2352218537: bad response

acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid response from http://mail.####.co.uk/.well-known/acme-challenge/lBAZSxp0PK-qJtxwmLMcwZIgsz7666GeOKiQEXZJEEw: \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e\"", "status": 403 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/Fv6ghEBNlH1AziCYZ2pbqSM3RQvmKKT7lnEslj-9NIg/2352218537", "token": "lBAZSxp0PK-qJtxwmLMcwZIgsz7666GeOKiQEXZJEEw", "keyAuthorization": "lBAZSxp0PK-qJtxwmLMcwZIgsz7666GeOKiQEXZJEEw.O0QtHzjBGvMNJ6k2Wdh6l8J2UHgyK3dqDVZAfJD2BRU", "validationRecord": [ { "url": "http://mail.####.co.uk/.well-known/acme-challenge/lBAZSxp0PK-qJtxwmLMcwZIgsz7666GeOKiQEXZJEEw", "hostname": "mail.####.co.uk", "port": "80", "addressesResolved": [ "#.#.#.#" ], "addressUsed": "#.#.#.#", "addressesTried": [] } ] }] (1155 bytes)

acme-client: bad exit: netproc(67): 1
Tue Oct 31 08:33:24 UTC 2017 - Verified hashes.
Tue Oct 31 08:33:24 UTC 2017 - Retrying in 30 minutes...

Please try to access http://mail.####.co.uk/ from outside of your network and see if you get something.

It says not found in your logs. So probably a reverse proxy misconfiguration.

I have the same issue - it seems that the challenges were sucessfull - but in the end:

acme-mailcow_1       | acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
acme-mailcow_1       | acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: 500
acme-mailcow_1       | acme-client: transfer buffer: [{ "type": "urn:acme:error:serverInternal", "detail": "Error creating new cert", "status": 500 }] (101 bytes)
acme-mailcow_1       | acme-client: bad exit: netproc(4100): 1
acme-mailcow_1       | Wed Apr 11 11:30:55 UTC 2018 - Error requesting certificate, restoring from previous acme request and restarting containers...

It returns 500 for the API request, I think?

Am 11.04.2018 um 13:39 schrieb Thomas notifications@github.com:

I have the same issue - it seems that the challenges were sucessfull - but in the end:

acme-mailcow_1 | acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
acme-mailcow_1 | acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: 500
acme-mailcow_1 | acme-client: transfer buffer: [{ "type": "urn:acme:error:serverInternal", "detail": "Error creating new cert", "status": 500 }] (101 bytes)
acme-mailcow_1 | acme-client: bad exit: netproc(4100): 1
acme-mailcow_1 | Wed Apr 11 11:30:55 UTC 2018 - Error requesting certificate, restoring from previous acme request and restarting containers...
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

This were the last entries.
The entries before seemed fine

Or is this a new issue? Is there something i could debug?

I assume it failed beccause of the amount of domains i have.
When i added

 and active = 1

to the domain query in docker-entrypoint.sh and started it manually, everything worked fine.