Mailcow-dockerized: Letsencrypt Certificate can not be renewing or validated

TEST

root@mail:/opt/mailcow-dockerized# docker-compose exec acme-mailcow curl -4 http://${MAILCOW_HOSTNAME}/.well-known/acme-challenge/1 --write-out %{http_code}
curl: (7) Failed to connect to mail.ebinaria.com.ar port 80: Connection refused

Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
SKIP_LETS_ENCRYPT=n'

Skip IPv4 check in ACME container - y/n
SKIP_IP_CHECK=n

which OS ?

It is running on Debian 8.5.2

Thanks in advance

did you notice

you have to run a specific kernel

and use the docker-ce version (not the debian one) ?
https://docs.docker.com/install/linux/docker-ce/debian/

My kernel version is 4.9.0 and my docker-ce is 18.06.0. What do you recommend?

what change in the last since the last certificate query ?

did you change something in your DNS ?

do you use IPv6 ?

Ich hab das selbe problem. die innstallation ist älter als 6Monate und vor 3 Monate hat das erneuern noch geklappt, jetzt bekomme ich diese Meldung:

1.4.2019, 22:17:08 | Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.
-- | --
11.4.2019, 22:17:08 | Cannot validate hostnames, skipping Let's Encrypt for 1 hour.
11.4.2019, 22:17:08 | Confirmed AAAA record , but HTTP validation failed
11.4.2019, 22:17:08 | Found AAAA record for - skipping A record check
11.4.2019, 22:17:07 | Confirmed AAAA record , but HTTP validation failed
11.4.2019, 22:17:07 | Found AAAA record for - skipping A record check
11.4.2019, 22:17:07 | Confirmed AAAA record , but HTTP validation failed
11.4.2019, 22:17:07 | Found AAAA record for - skipping A record check
11.4.2019, 22:17:07 | Confirmed AAAA record , but HTTP validation failed
11.4.2019, 22:17:07 | Found AAAA record for - skipping A record check
11.4.2019, 22:17:07 | Confirmed AAAA record , but HTTP validation failed
11.4.2019, 22:17:07 | Found AAAA record for - skipping A record check
11.4.2019, 22:17:07 | Confirmed AAAA record , but HTTP validation failed
11.4.2019, 22:17:07 | Found AAAA record for - skipping A record check
11.4.2019, 22:17:07 | Confirmed AAAA record , but HTTP validation failed
11.4.2019, 22:17:07 | Found AAAA record for - skipping A record check
11.4.2019, 22:17:07 | Confirmed AAAA record , but HTTP validation failed
11.4.2019, 22:17:07 | Found AAAA record for - skipping A record check
11.4.2019, 22:17:07 | Confirmed AAAA record , but HTTP validation failed
11.4.2019, 22:17:07 | Found AAAA record for - skipping A record check
11.4.2019, 22:17:06 | OK
11.4.2019, 22:17:05 | Detecting IP addresses...
11.4.2019, 22:17:05 | Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
11.4.2019, 22:17:05 | Using existing domain key /var/lib/acme/acme/key.pem
11.4.2019, 22:17:05 | Initializing, please wait...
11.4.2019, 22:17:05 | OK
11.4.2019, 22:17:00 | Waiting for domain table...
11.4.2019, 22:17:00 | OK
11.4.2019, 22:17:00 | Waiting for Nginx...
11.4.2019, 22:17:00 | OK

Ich hab keine Konfig verändert.
Min Root Server hat so woll Statische Ipv4 als auch Ipv6.

Gruss Conan

@Conan179 try to hardcode your principal hostname inside ACME container in /etc/host pointing to private IP 172.xxx.xxx. ...and comment us your results.

Regards

Und wie mache ich das?

Mein problem ist offiziell gelöst.
Und zwar hatte ich Mailcow auf meine IPv4 addresse gebound, aber der ACME client will unbedingt ipv6 machen, oben in meinem Post ist der Hinweis versteckt, im log steht nämlich nur

Found AAAA record for - skipping A record check
Confirmed AAAA record , but HTTP validation failed

Nicht einmal A record, hab das bounding raus genommen und neugestartet und es wurde sofort einen neues Zert angefordert, hat es bekommen und gleich innstalliert.

I've had the same issue.
The ACME Container could not connect to the external nginx address in order to use HTTP Verification.
Only after adding the private IP of the nginx Container to the /etc/hosts of the ACME Container could the Verification be done.
Should there be a iptables rule in place or something?

It should be able to do that, other things will fail if it cannot connect from the Docker bridge to the external interface, so you should fix it.

firewalld/ufw is not supported by mailcow. You can use it, but you need to configure it on your own, as it belongs to your own network. Same applies to any custom iptables ruleset.

@andryyy eine frage, warum ruft der ACME nur noch ipv6 ab?

ACME bevorzugt immer AAAA, wenn es im DNS existiert.

ok, ipv6 wird bevorzugt, aber warum nimmt ACME dann nicht den A als Fallback? Ich hab meine Innstallation seid ca. Juli 18 und das ipv4 bind schon länger drin, er muss es also früher mal gemacht haben.

Das macht es einfach nicht. :) Das kommt zudem von Lets Encrypt selber, da haben wir keinen Einfluss drauf.

Wenn der AAAA im DNS steht, möchte er ihn auch verwenden.

I had the same issue that it cannot validate hostnames.
I've iptables running with some strict rules.

To fix it i had to add the iprange of docker to the INPUT chain to accept port 80.
Example (where 172.20.1.0/24 is the docker ip range):
iptables -A INPUT -p tcp -s 172.20.1.0/24 --dport 80 -j ACCEPT

I think you can use -I br-mailcow as in-source, too.

Thanks for your report, @dvzunderd ! Your fix would not work for the DNS check though. Better allow the bridge access to the public interface. It is your public interface after all. Why would you exclude mailcow from access to itself. :-)

@andryyy, Was not activly blocking mailcow. But this should have been picked up by the docker rules for port 80. Don't know why it does not pick. This solved the issue.

It is not the solution for the DNS but i had the same logging as the initial poster so this could help with his issue (if the same).

I think you can use -I br-mailcow as in-source, too.

Thanks for your report, @dvzunderd ! Your fix would not work for the DNS check though. Better allow the bridge access to the public interface. It is your public interface after all. Why would you exclude mailcow from access to itself. :-)

@andryyy I'm facing this issue too, what's the workaround for this? iptables -I br-mailcow ?
I am double checking so I won't make any troubles

@molaga I did some testing on my own machine and the iptables -I br-mailcow did not fix the issue for me.
What i did to fix it was the following:
First you need to find out what the ip range is with:
ip route | grep br-mailcow

This would give the ip range used by br-mailcow like this:
172.20.1.0/24 dev br-mailcow proto kernel scope link src 172.22.1.1

Now use that range to add it to iptables:
iptables -A INPUT -p tcp -s 172.20.1.0/24 --dport 80 -j ACCEPT

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Since the last time i've updated, i have the same issue.

docker-compose exec acme-mailcow curl -4 http://mail.example.org/.well-known/acme-challenge/1 --write-out %{http_code}
results in curl: (7) Failed to connect to mail.example.org port 80: Connection refused

when i ping mail.example.org i get my internal ip 10.10.10.50
docker-compose exec acme-mailcow curl -4 http://10.10.10.50/.well-known/acme-challenge/1 --write-out %{http_code}
results in 200

i dont know why this is

mail.example.org has a public dns entry which is not reachable from mailcow server itself, but as it resolves locally into it's own ip, this shouldn't matter, right?

We don't change your network with our updates. :o This probably never worked, when unbound-mailcow was not able to resolve that name.

You can disable the checks in mailcow.conf (http verification and ip checks).

It worked for over a year...

If i disable the check and rerun source mailcow.conf & curl, it's still the same error.

Did you implement any external dns resolver in acme-mailcow?

Check the last commits. :) We use our own resolver since forever.

So, any idea how to debug that? If I create data/web/.well-known/acme-challenge/1 and open it from an external network/pc, it works just fine, so acme server should be able to read everything just fine.

As I said, it worked for over a year and I didn't do any changes but updating mailcow ...

No, we didn't change anything. We added verification checks. Just disable those checks in mailcow.conf if they don't work with your setup.

I've set SKIP_IP_CHECK=y yesterday, that's the only option I could find.

There should be a HTTP verification option. :)

Okay I'll try. But why is that option in the solr section? ^^

It will be appended with an update. So new options will always be found at the bottom.

Am 12.08.2019 um 14:15 schrieb lug-gh notifications@github.com:

Okay I'll try. But why is that option in the solr section? ^^

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

There should be a HTTP verification option. :)

That indeed worked. Thanks ;)