Acme Host validation Fails when using VPS Proxy

majorgear

I have this setup for my mail domain
client->cloudflare->VPS Host->HAProxy->wireguardvpn->nginx reverse proxy->Mailcow Server .

I have the mail domain A/CNAME/MX/TXT records all pointed at the VPS servers IP address.

When the acme script tries to validate that the mail domain resolves to the mailcow server’s IP address, it gets my router’s IP address instead of the VPN server’s address, so validate fails. The output looks like this (redacted ):

mailcowdockerized-acme-mailcow-1 | Wed Feb 9 21:35:04 MST 2022 - Detecting IP addresses... mailcowdockerized-acme-mailcow-1 | Wed Feb 9 21:35:05 MST 2022 - OK: redacted ip, 2601:283:4602:37c0::1f3 mailcowdockerized-acme-mailcow-1 | Wed Feb 9 21:35:05 MST 2022 - Found A record for <redacted domain: redacted IP mailcowdockerized-acme-mailcow-1 | Wed Feb 9 21:35:05 MST 2022 - Cannot match your IP 73.243.40.30 against hostname redacted doman (DNS returned redacted IP) mailcowdockerized-acme-mailcow-1 | Wed Feb 9 21:35:05 MST 2022 - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour. mailcowdockerized-acme-mailcow-1 | Wed Feb 9 21:35:05 MST 2022 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.

In my mind, the easiest solution would be to use the DNS challenge. Can the **acme container be configured to use the DNS challenge method to validate my domain?

Some other idea’s I have are

configuring the mailcow docker bridge network to route through the wireguard VPN which goes through the correct gateway to the Internet.
put mailcow into a virtual machine that routes through the wireguard vpn to get to the Internet.

For the short term, I manually created the ssl certificate for the mail domain using certbot, and I configured the certificate path in my nginx server block for mailcow. That’s working in that I can access the mailcow web interfaces over https , but I’d rather that mailcow manage it’s own certificate.

majorgear

To clarify , mailcow host machine has physical “eth0” interface , and it has the wireguard vpn interface “wg0”.

The acmes.sh container is going through the eth0 interface, which goes through my home router to the Internet.

What I would like it to do is either use the DNS challenge and not try to validate the IP address.
or
Go route through the wg0 interface , which will cause validation to success as the wireguard vpn access the Internet through the VPS server. The mail hostname resolves to the VPS server IP address, which will cause it to successfully validate.

heavygale

Your mailcow ui is publicy accessable?
Simply disable the ip check: SKIP_IP_CHECK=y

https://mailcow.github.io/mailcow-dockerized-docs/post_installation/firststeps-ssl/#validation-errors-and-how-to-skip-validation

majorgear

heavygale I did that, then it tried to validate the IPV6 address.

Then I disabled the HTTP check, and it still failed.

majorgear

I’ve gotten a bit further before I gave up.

I set up a routing that send all traffic from the mailcow subnet through the wireguard connection to my VPS server, and then to the Internet.

acme was happier with that, and requested a certificate. However, the request timed out with this message from acme

Response: Remote end closed connection without response

I don’t know what the endpoint is for requests, so I can explicitly test connectivity. I did do a test from the mailcow host server to the internet to make sure the route was correct.

curl -vvv -4 –interface wg0 icanhazip.com

That returned the VPS’s IP address. So connect from docker to VPS to the Internet and back works.

codec

Might be a problem with the HA-Proxy not properly doing the handshake when the let’s encrypt server tries to fetch the .well-known URL from your server.

codec

I’ve had a non working handshake with ha-proxy with SMTP. The Server just didn’t send the Greeting unless you send some data into the blind or just started the smtp-dialoge without waiting for the greeting.

majorgear

No worries. I moved SSL termination to the HA Proxy, and I manage the certificates from there now.