Zertifikat für Subdomain wird nicht geholt

F_KRD

Hallo Community,

ich versuche gerade unter cloud.mydomain.de eine Nextcloud zu installieren.
(https://mailcow.github.io/mailcow-dockerized-docs/third_party-nextcloud/)

Die Installation funktioniert, aber leider kann ich meine Cloud unter https://cloud.mydomain.de nicht erreichen.

Die mailcow.conf sieht so aus:

...
MAILCOW_HOSTNAME=mail.mydomain.de
...
ADDITIONAL_SAN=mydomain.de,www.*,webmail.*,cloud.*
...

Wenn ich jetzt acme-mailcow neustarte, dann sehe ich folgendes:

touch data/assets/ssl/force_renew
docker-compose restart acme-mailcow
docker-compose logs --tail=200 acme-mailcow

Fri Jun  4 09:02:15 CEST 2021 - Using existing domain rsa key /var/lib/acme/acme/key.pem                         
Fri Jun  4 09:02:15 CEST 2021 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem           
Fri Jun  4 09:02:15 CEST 2021 - Detecting IP addresses...                                                        
Fri Jun  4 09:02:15 CEST 2021 - OK: 75.xxx.xxx.69, 2a02:xxxx:xxxx:5703::1                                        
Fri Jun  4 09:02:16 CEST 2021 - Found A record for mail.mydomain.de: 75.xxx.xxx.69                              
Fri Jun  4 09:02:16 CEST 2021 - Confirmed A record 75.xxx.xxx.69                                                 

Fri Jun  4 09:09:44 CEST 2021 - Using existing domain rsa key /var/lib/acme/acme/key.pem                                            
Fri Jun  4 09:09:44 CEST 2021 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem                              
Facme-mailcow_1       | Thu Aug  5 22:06:55 CEST 2021 - Waiting for Docker API...
acme-mailcow_1       | Thu Aug  5 22:06:55 CEST 2021 - Docker API OK
acme-mailcow_1       | Thu Aug  5 22:06:55 CEST 2021 - Waiting for Postfix...
acme-mailcow_1       | Thu Aug  5 22:06:55 CEST 2021 - Postfix OK
acme-mailcow_1       | Thu Aug  5 22:06:55 CEST 2021 - Waiting for Dovecot...
acme-mailcow_1       | Thu Aug  5 22:06:55 CEST 2021 - Dovecot OK
acme-mailcow_1       | Thu Aug  5 22:06:55 CEST 2021 - Waiting for database...
acme-mailcow_1       | Thu Aug  5 22:06:55 CEST 2021 - Database OK
acme-mailcow_1       | Thu Aug  5 22:06:55 CEST 2021 - Waiting for Nginx...
acme-mailcow_1       | Thu Aug  5 22:06:55 CEST 2021 - Nginx OK
acme-mailcow_1       | Thu Aug  5 22:06:55 CEST 2021 - Waiting for resolver...
acme-mailcow_1       | Thu Aug  5 22:06:55 CEST 2021 - Resolver OK
acme-mailcow_1       | Thu Aug  5 22:06:55 CEST 2021 - Waiting for domain table...
acme-mailcow_1       | OK
acme-mailcow_1       | Thu Aug  5 22:06:55 CEST 2021 - Initializing, please wait...
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Using existing domain rsa key /var/lib/acme/acme/key.pem
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Detecting IP addresses...
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - OK: 75.xxx.xxx.69, 2a02:xxxx:xxxx:5703::1
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Found AAAA record for www.mydomain.de: 2a02:xxxx:xxxx:5703::1 - skipping A record check
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Confirmed AAAA record with IP 2a02:c206:3007:5703:0000:0000:0000:0001
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Found AAAA record for webmail.mydomain.de: 2a02:xxxx:xxxx:5703::1 - skipping A record check
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Confirmed AAAA record with IP 2a02:c206:3007:5703:0000:0000:0000:0001
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Found AAAA record for autodiscover.mydomain.de: 2a02:xxxx:xxxx:5703::1 - skipping A record check
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Confirmed AAAA record with IP 2a02:c206:3007:5703:0000:0000:0000:0001
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Found AAAA record for autoconfig.mydomain.de: 2a02:xxxx:xxxx:5703::1 - skipping A record check
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Confirmed AAAA record with IP 2a02:c206:3007:5703:0000:0000:0000:0001
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Found AAAA record for mail.mydomain.de: 2a02:xxxx:xxxx:5703::1 - skipping A record check
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Confirmed AAAA record with IP 2a02:c206:3007:5703:0000:0000:0000:0001
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Found AAAA record for mydomain.de: 2a02:xxxx:xxxx:5703::1 - skipping A record check
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Confirmed AAAA record with IP 2a02:c206:3007:5703:0000:0000:0000:0001
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Certificate /var/lib/acme/mail.mydomain.de/cert.pem doesn't exist yet or forced renewal - start obtaining
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Creating backups in /var/lib/acme/backups/mail.mydomain.de/2021-08-05_22_06_56 ...
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Checking resolver...
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Resolver OK
acme-mailcow_1       | Thu Aug  5 22:06:56 CEST 2021 - Using command acme-tiny   --account-key /var/lib/acme/acme/account.pem --disable-check --csr /var/lib/acme/mail.mydomain.de/acme.csr --acme-dir /var/www/acme/
acme-mailcow_1       | Parsing account key...
acme-mailcow_1       | Parsing CSR...
acme-mailcow_1       | Found domains: webmail.mydomain.de, mail.mydomain.de, autodiscover.mydomain.de, www.mydomain.de, mydomain.de, autoconfig.mydomain.de
acme-mailcow_1       | Getting directory...
acme-mailcow_1       | Directory found!
acme-mailcow_1       | Registering account...
acme-mailcow_1       | Already registered!
acme-mailcow_1       | Creating new order...
acme-mailcow_1       | Order created!
acme-mailcow_1       | Verifying autoconfig.mydomain.de...
acme-mailcow_1       | autoconfig.mydomain.de verified!
acme-mailcow_1       | Verifying autodiscover.mydomain.de...
acme-mailcow_1       | autodiscover.mydomain.de verified!
acme-mailcow_1       | Verifying mail.mydomain.de...
acme-mailcow_1       | mail.mydomain.de verified!
acme-mailcow_1       | Verifying mydomain.de...
acme-mailcow_1       | mydomain.de verified!
acme-mailcow_1       | Verifying webmail.mydomain.de...
acme-mailcow_1       | webmail.mydomain.de verified!
acme-mailcow_1       | Verifying www.mydomain.de...
acme-mailcow_1       | www.mydomain.de verified!
acme-mailcow_1       | Signing certificate...
acme-mailcow_1       | Certificate signed!
acme-mailcow_1       | Thu Aug  5 22:07:30 CEST 2021 - Deploying certificate /var/lib/acme/mail.mydomain.de/cert.pem...
acme-mailcow_1       | Thu Aug  5 22:07:30 CEST 2021 - Verified hashes.
acme-mailcow_1       | Thu Aug  5 22:07:30 CEST 2021 - Certificate successfully obtained
acme-mailcow_1       | Thu Aug  5 22:07:30 CEST 2021 - Reloading or restarting services... (1)
acme-mailcow_1       | Reloading Nginx...
acme-mailcow_1       | Restarting 220f44912c29ed92164e8594a3d024a2b3eaaeaeba96a41db677e831ec0292b4...
acme-mailcow_1       | command completed successfully
acme-mailcow_1       | Restarting 89172a6d527023e90031d76de243054c4f52bdea653ff35b02d00d439363308c...
acme-mailcow_1       | command completed successfully
acme-mailcow_1       | Thu Aug  5 22:07:36 CEST 2021 - Waiting for containers to settle...
acme-mailcow_1       | Thu Aug  5 22:07:46 CEST 2021 - Certificates were successfully renewed where required, sleeping for another day.
Fri Jun  4 09:09:44 CEST 2021 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.

Die Zertifikate für www.mydomain.de oder mydomain.de werden richtig ausgestellt.
Nur das für cloud.mydomain.de nicht.

Die (generierte) /data/conf/nginx/nextcloud.conf sieht so aus:

map $http_x_forwarded_proto $client_req_scheme_nc {
     default $scheme;
     https https;
}

server {
  include /etc/nginx/conf.d/listen_ssl.active;
  include /etc/nginx/conf.d/listen_plain.active;
  include /etc/nginx/mime.types;
  charset utf-8;
  override_charset on;

  ssl_certificate /etc/ssl/mail/cert.pem;
  ssl_certificate_key /etc/ssl/mail/key.pem;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
  ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 1d;
  ssl_session_tickets off;
  add_header Referrer-Policy "no-referrer" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header X-Download-Options "noopen" always;
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-Permitted-Cross-Domain-Policies "none" always;
  add_header X-Robots-Tag "none" always;
  add_header X-XSS-Protection "1; mode=block" always;

  fastcgi_hide_header X-Powered-By;

  server_name cloud.mydomain.de;

  root /web/nextcloud/;

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  location = /.well-known/carddav {
    return 301 $client_req_scheme_nc://$host/remote.php/dav;
  }

  location = /.well-known/caldav {
    return 301 $client_req_scheme_nc://$host/remote.php/dav;
  }

  location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /web;
  }

...

Habe ich etwas übersehen?

F_KRD

Die Lösung lautet das gesamte System herunter und dann wieder hochzufahren.

docker-compose down
docker-compose up -d