Mailu: nginx.conf with TLS_FLAVOR=letsencrypt does not allow certbot renew succeed

Created on 8 Jul 2020  ·  3Comments  ·  Source: Mailu/Mailu

My certficate was not automatically renewed in mailu 1.7, after some digging I found, that the http->https redirect rule in nginx.conf:66 is executed before nginx.conf:83.

Therefore the letsencrypt http01 validation receives a 301 redirect:

front_1     | 18.196.96.172 - - [07/Jul/2020:22:23:49 +0000] "GET /.well-known/acme-challenge/gwzkNiW5AIPJ39JyYmfDzmvBb9mYcQioKI65HvZHdxI HTTP/1.1" 301 162 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
front_1     | 52.15.254.228 - - [07/Jul/2020:22:23:49 +0000] "GET /.well-known/acme-challenge/gwzkNiW5AIPJ39JyYmfDzmvBb9mYcQioKI65HvZHdxI HTTP/1.1" 301 162 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

And certbot terminates the process with:

 - The following errors were reported by the server:

   Domain: xxxx
   Type:   connection
   Detail: Fetching
   https://xxxxx/.well-known/acme-challenge/8wDiiX_o76-fHzOeGpa6j0O2wqLQin9nfb0MaWcXY-E:
   Timeout during connect (likely firewall problem)

Maybe a second server entry only for the http-https redirect and http-01 validation would be better in nginx.conf:

{% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'mail-letsencrypt' ] %}
server {
      root /static;
      listen 80;
      listen [::]:80;
      # In any case, enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes
      location ^~ /.well-known/acme-challenge/ {
          proxy_pass http://127.0.0.1:8008;
      }
      location / { 
          return 301 https://$host$request_uri;
      } 
}
{% endif %}

# previous stuff 
{% if KUBERNETES_INGRESS != 'true' and TLS and not TLS_ERROR %}
server {
      listen 443 ssl http2;
      listen [::]:443 ssl http2;
...
{% endif %}

Temporary fix: docker-compose exec front bash, edit /etc/nginx/nginx.conf and comment out the above mentioned if-statement, reload nginx config by kill -HUP 1. Then run the /letsencrypt.py script. After successful renew: undo the change in /etc/nginx/nginx.conf and reload nginx again.

prioritp1
Source
picture elektro-wolle

Most helpful comment

Hi There,

The Mailu-Project is currently in a bit of a bind! We are short on man-power, and we need to judge if it is possible for us to put in some work on this issue.

To help with that, we are currently trying to find out which issues are actively keeping users from using Mailu, which issues have someone who want to work on them — and which issues may be less important. These a less important ones could be discarded for the time being, until the project is in a more stable and regular state once again.

In order for us to better assess this, it would be helpful if you could put a reaction on this post (use the :smiley: icon to the top-right).

  • 👍️ if you need this to be able to use Mailu. Ideally, you’d also be able to test this on your installation, and provide feedback …
  • 🎉 if you find it a nice bonus, but no deal-breaker
  • 🚀 if you want to work on it yourself!
    We want to keep this voting open for 2 weeks from now, so please help out!
picture Nebukadneza on 16 Aug 2020
👍2 🚀1

All 3 comments

Hi There,

The Mailu-Project is currently in a bit of a bind! We are short on man-power, and we need to judge if it is possible for us to put in some work on this issue.

To help with that, we are currently trying to find out which issues are actively keeping users from using Mailu, which issues have someone who want to work on them — and which issues may be less important. These a less important ones could be discarded for the time being, until the project is in a more stable and regular state once again.

In order for us to better assess this, it would be helpful if you could put a reaction on this post (use the :smiley: icon to the top-right).

  • 👍️ if you need this to be able to use Mailu. Ideally, you’d also be able to test this on your installation, and provide feedback …
  • 🎉 if you find it a nice bonus, but no deal-breaker
  • 🚀 if you want to work on it yourself!
    We want to keep this voting open for 2 weeks from now, so please help out!
Nebukadneza picture Nebukadneza on 16 Aug 2020
👍2 🚀1

I can confirm this bug. I have switched to Letsencrypt flavor 3 months ago and now the server is without certs :(.

@elektro-wolle based on your :rocket: comment above, are you willing to send a PR with this change, please?

muhlemmer picture muhlemmer on 3 Sep 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 24 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kaiyou picture kaiyou  ·  4Comments
gizocz picture gizocz  ·  4Comments
Yermo picture Yermo  ·  3Comments
hoellen picture hoellen  ·  4Comments
SJS28092018 picture SJS28092018  ·  3Comments