EnglishHi,
I just set up a fresh MailCow installation but unfortunately found out that my ISP was blocking ports 80 and 443 at the time. So Let’s Encrypt was unable to sign my certificates (I guess this is ACME module in MailCow).
My question is - when my ISP removes the blocking - how can I re-run this module and get server’s certificates signed by Let’s Encrypt?
Thanks.
Actually, I figured out something, but got stuck on another problem…
First, I disabled IPv6 according to documentation (because I don’t have it).
Then I run these commands:
cd /opt/mailcow-dockerized
touch data/assets/ssl/force_renew
docker-compose restart acme-mailcowWhen I run docker-compose logs --tail=200 -f acme-mailcow I get this error:
acme-mailcow_1 | OK
acme-mailcow_1 | Thu Feb 10 16:45:23 CET 2022 - Initializing, please wait...
acme-mailcow_1 | Thu Feb 10 16:45:23 CET 2022 - Using existing domain rsa key /var/lib/acme/acme/key.pem
acme-mailcow_1 | Thu Feb 10 16:45:23 CET 2022 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
acme-mailcow_1 | Thu Feb 10 16:45:23 CET 2022 - Detecting IP addresses...
acme-mailcow_1 | Thu Feb 10 16:45:32 CET 2022 - OK: 185.58.xxx.xxx, 0000:0000:0000:0000:0000:0000:0000:0000
acme-mailcow_1 | Thu Feb 10 16:45:33 CET 2022 - Found A record for autodiscover.mydomain.mk: 185.58.xxx.xxx
acme-mailcow_1 | Thu Feb 10 16:47:42 CET 2022 - Confirmed A record with IP 185.58.xxx.xxx, but HTTP validation failed
acme-mailcow_1 | Thu Feb 10 16:47:42 CET 2022 - Found A record for autoconfig.mydomain.mk: 185.58.xxx.xxx
acme-mailcow_1 | Thu Feb 10 16:49:53 CET 2022 - Confirmed A record with IP 185.58.xxx.xxx, but HTTP validation failed
acme-mailcow_1 | Thu Feb 10 16:49:53 CET 2022 - Found A record for mail.mydomain.mk: 185.58.180.221
acme-mailcow_1 | Thu Feb 10 16:52:04 CET 2022 - Confirmed A record with IP 185.58.xxx.xxx, but HTTP validation failed
acme-mailcow_1 | Thu Feb 10 16:52:04 CET 2022 - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour.
acme-mailcow_1 | Thu Feb 10 16:52:04 CET 2022 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.
acme-mailcow_1 | OKAlso, port 80 is accessible from outside, I can verify it with curl http://185.58.xxx.xxx or curl http://mail.mydomain.mk (the same is true for port 443).
Any idea?
Have something to say?
Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!
Additional info. I reinstalled everything from the scratch, and did not do the HTTPS redirection. I have the same setup as before (IPv6 disabled), and on port 80 I can see login page. However on 443 certificate is self signed, and logs keep saying that HTTP validation failed.
Yes, I found out this. However, in the documentation it is written that skipping the HTTP validation is not recommended. Why?
Because it’s a feature to prevent requests to Let’s Encrypt if your setup seems to be incorrect in order to avaid getting ratelimited by Let’s Encrypt. But you can skipp the validation, have a log in the log if it works and if not enable the check again without any issues.
Hmm, now I did this way:
mailcow.conf I set SKIP_IP_CHECK=y and SKIP_HTTP_VERIFICATION=yacme-mailcow, and certificates got signedmailcow.conf set SKIP_HTTP_VERIFICATION=n (back to n)acme-mailcow, but the error “HTTP validation failed” happened againmailcow.conf set SKIP_HTTP_VERIFICATION=yI hope this is OK, otherwise I am afraid automatic renewal will not be working.
When the certs are created it should be all fine - these checks are just to be sure all is fine before a sign request to Let’s Encrypt is sent. Looks like something in your setup prevents the internal check so succeed.