Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.arcade-mc.com
http-01 challenge for mail.minerdu.de
Waiting for verification...
Challenge failed for domain mail.arcade-mc.com
Challenge failed for domain mail.minerdu.de
http-01 challenge for mail.arcade-mc.com
http-01 challenge for mail.minerdu.de
Cleaning up challenges
Attempting to renew cert (mailu) from /certs/letsencrypt/renewal/mailu.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /certs/letsencrypt/live/mailu/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /certs/letsencrypt/live/mailu/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /config.py
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mail.arcade-mc.com
   Type:   connection
   Detail: Fetching
   https://mail.arcade-mc.com/.well-known/acme-challenge/uajYSMQUd5w8wWjWgGI8YnZFWW-UtB7gbS1bCAGT59M:
   Error getting validation data

   Domain: mail.minerdu.de
   Type:   connection
   Detail: Fetching
   https://mail.minerdu.de/.well-known/acme-challenge/qWsiTZXiFhjYik9CO4hS_0CS-j0ZqpZS-VRYe6GtLkY:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Could you provide some relevant logs, both from your nginx reverse proxy and Mailu front container?

Nginx mailu error log 1:

https://pastebin.com/fqp6Syax

Docker logs mailu_front_1:

https://pastebin.com/LTUBCQUL

Kind regards, Merlyn

@mesl hello, did you find a workaround for your issue ?

Yes I did, Generate the certificates outside docker but with the same config options described in your python code somewhere in the container itself, Then move the certificates to the folder where the docker volume is assigned to

Got the same issue just now. Vanilla docker-compose deployment. I've changed the TLS flavor around 3 months ago, so this was the first time renewal was due since then.

On certificate refresh it seems Nginx is issuing wrong 301 redirects for .well-known:

front_1 | 2020/06/03 14:43:20 [info] 8#8: *45 client 62.194.106.15:56086 connected to 0.0.0.0:993 front_1 | 66.133.109.36 - - [03/Jun/2020:14:43:20 +0000] "GET /.well-known/acme-challenge/wxUyr3z4vBw-xJFZoTnnO2sRkJN4hVMdey7oThLoays HTTP/1.1" 301 162 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" front_1 | 34.222.229.130 - - [03/Jun/2020:14:43:20 +0000] "GET /.well-known/acme-challenge/nw8eLsrt_C9R6LAMdQJmA8ogkJ2n-KwcHaYZ8jSyehc HTTP/1.1" 301 162 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" front_1 | 66.133.109.36 - - [03/Jun/2020:14:43:20 +0000] "GET /.well-known/acme-challenge/--SX1WLBs21UxLyfzibjIPbqzKexNJEH2xpKHmWqNbw HTTP/1.1" 301 162 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" front_1 | 34.222.229.130 - - [03/Jun/2020:14:43:20 +0000] "GET /.well-known/acme-challenge/--SX1WLBs21UxLyfzibjIPbqzKexNJEH2xpKHmWqNbw HTTP/1.1" 301 162 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" front_1 | 34.222.229.130 - - [03/Jun/2020:14:43:20 +0000] "GET /.well-known/acme-challenge/wxUyr3z4vBw-xJFZoTnnO2sRkJN4hVMdey7oThLoays HTTP/1.1" 301 162 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" front_1 | 34.209.232.166 - - [03/Jun/2020:14:43:21 +0000] "GET /.well-known/acme-challenge/MJt4Z0kZ5g9cv2-Jbl3NO6vNJtT7nSB144xkPbcmGLg HTTP/1.1" 301 162 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" front_1 | 34.209.232.166 - - [03/Jun/2020:14:43:21 +0000] "GET /.well-known/acme-challenge/wbSza-btt_taGxrN4fLmmK-P0Z7oW17hqs65Mqgo6Wc HTTP/1.1" 301 162 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Resulting in errors like:

front_1 | Some challenges have failed. front_1 | IMPORTANT NOTES: front_1 | - The following errors were reported by the server: front_1 | front_1 | Domain: xxxxx front_1 | Type: connection front_1 | Detail: Fetching front_1 | https://xxxxxxx/.well-known/acme-challenge/6E2_SWqyHAm9fisWz-1QhL_uwO1ZfpY7E8YdOT1nUUs: front_1 | Timeout during connect (likely firewall problem)

Workaround:

I've deleted the /mailu/certs directory and docker-compose down && docker-compose up -d. Now the certs are obtained without problem:

front_1 | 34.209.232.166 - - [03/Jun/2020:14:52:11 +0000] "GET /.well-known/acme-challenge/4TUNprrps6KxkrFgh1cyVi9WoPHxzi1wDxzMEtAx38M HTTP/1.1" 200 98 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" front_1 | 66.133.109.36 - - [03/Jun/2020:14:52:11 +0000] "GET /.well-known/acme-challenge/wjo2f9FyiHJOONyp-HhYbPcKwdY2ErIcFeYOI4n8s30 HTTP/1.1" 200 98 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" front_1 | 34.222.229.130 - - [03/Jun/2020:14:52:11 +0000] "GET /.well-known/acme-challenge/wjo2f9FyiHJOONyp-HhYbPcKwdY2ErIcFeYOI4n8s30 HTTP/1.1" 200 98 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" front_1 | 34.209.232.166 - - [03/Jun/2020:14:52:11 +0000] "GET /.well-known/acme-challenge/yy1DtRspuJ4EI4cm891CmbMN9VHJhmU0XcEVK6eQ6OE HTTP/1.1" 200 98 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" front_1 | 66.133.109.36 - - [03/Jun/2020:14:52:12 +0000] "GET /.well-known/acme-challenge/FdnDAuKNafgP9OLXcyiQprXG69ErCTvkbJ9J7b0W0gM HTTP/1.1" 200 98 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
.....
front_1 | IMPORTANT NOTES: front_1 | - Congratulations! Your certificate and chain have been saved at: front_1 | /certs/letsencrypt/live/mailu/fullchain.pem front_1 | Your key file has been saved at: front_1 | /certs/letsencrypt/live/mailu/privkey.pem

Can it have something to do with this?:

https://github.com/Mailu/Mailu/blob/4c9a4b282468dae772bbf1a78851a9e78213768c/core/nginx/conf/nginx.conf#L56-L69

This redirect is disabled when there are no certs yet (TLS_ERROR is true). Looking at the logs, 301 is issued, but there is no subsequent request from ACME. Probably they don't follow redirects.

Maybe his has some influence (from mailu.env):

````

#

Web settings

#

Path to redirect / to

WEBROOT_REDIRECT=/

Path to the admin interface if enabled

WEB_ADMIN=/admin

Path to the webmail if enabled

WEB_WEBMAIL=/
````
Other opions / sugestions welcome. I'm kinda out of time for today :(

Hi There,

The Mailu-Project is currently in a bit of a bind! We are short on man-power, and we need to judge if it is possible for us to put in some work on this issue.

To help with that, we are currently trying to find out which issues are actively keeping users from using Mailu, which issues have someone who want to work on them — and which issues may be less important. These a less important ones could be discarded for the time being, until the project is in a more stable and regular state once again.

In order for us to better assess this, it would be helpful if you could put a reaction on this post (use the :smiley: icon to the top-right).

• 👍️ if you need this to be able to use Mailu. Ideally, you’d also be able to test this on your installation, and provide feedback …
• 🎉 if you find it a nice bonus, but no deal-breaker
• 🚀 if you want to work on it yourself!
  We want to keep this voting open for 2 weeks from now, so please help out!

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

This is probably fixed in #1611 which is going to be part of 1.8-rc. Please try that fix or wait for the 1.8-rc release to test it out. In case it isn’t fixed by then, please feel free to re-open this issue.