HTTP validation failed

greenoctopus

Im getting this error in the acme logs and am unable to get an SSL certificate

acme-mailcow_1 | Tue May 26 21:20:16 BST 2020 - Waiting for Nginx… OK
acme-mailcow_1 | Tue May 26 21:20:16 BST 2020 - Waiting for domain table… OK
acme-mailcow_1 | Tue May 26 21:20:16 BST 2020 - Initializing, please wait…
acme-mailcow_1 | Tue May 26 21:20:16 BST 2020 - Using existing domain rsa key /var/lib/acme/acme/key.pem
acme-mailcow_1 | Tue May 26 21:20:16 BST 2020 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pe m
acme-mailcow_1 | Tue May 26 21:20:16 BST 2020 - Detecting IP addresses… OK
acme-mailcow_1 | Tue May 26 21:20:35 BST 2020 - Found A record for autodiscover.mydomain.com: 1.2.3.4
acme-mailcow_1 | Tue May 26 21:20:35 BST 2020 - Confirmed A record with IP 1.2.3.4, but HTTP validation failed
acme-mailcow_1 | Tue May 26 21:20:35 BST 2020 - Found A record for autoconfig.mydomain.com: 1.2.3.4
acme-mailcow_1 | Tue May 26 21:20:36 BST 2020 - Confirmed A record with IP 1.2.3.4, but HTTP validation failed
acme-mailcow_1 | Tue May 26 21:20:36 BST 2020 - Found A record for mail.mydomain.com: 1.2.3.4
acme-mailcow_1 | Tue May 26 21:20:36 BST 2020 - Confirmed A record with IP 1.2.3.4, but HTTP validation failed
acme-mailcow_1 | Tue May 26 21:20:36 BST 2020 - Cannot validate any hostnames, skipping Let’s Encrypt for 1 hour.
acme-mailcow_1 | Tue May 26 21:20:36 BST 2020 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.

Im running mailcow on its own server (not behind nginx) and have port 80 and 443 open inbound on the firewall

in /opt/mailcow-dockerized/data/conf/nginx/redirect.conf i have the following

server {
root /web;
listen 80 default_server;
listen [::]:80 default_server;
include /etc/nginx/conf.d/server_name.active;
if ( $request_uri ~* “%0A|%0D” ) { return 403; }
location ^~ /.well-known/acme-challenge/ {
allow all;
default_type “text/plain”;
}
location / {
return 301 https://$host$uri$is_args$args;
}
}

If I check the website mail.ctrlf.info with curl I can see the mailcow website OK
Can anyone think of anything else I can check?
Thanks for your help

kaushik_ray_1

greenoctopus I am seeing the exact same issue, did you find a fix for this? Thank you.

diekuh

Hi,

It can probably not connect to “itself” on its public IP. That’s called NAT reflection and needs to be enabled on your firewall. Probably pfSense or OPNsense?

It has only a few more downsides like failing DNS checks, so you could also set SKIP_IP_CHECK=y in mailcow.conf and run up -d

greenoctopus

Hi,
I’ve tested this again on a test server with nginx and letsencrypt certonly and I can get a lets encrypt cert issued OK. This is using the same pfsense firewall inbound firewall NAT rules and LAN DNS forwarding / split brain DNS configured as well on pfsense BUT it doesn’t work with acme-mailcow. I also tried configuring NAT reflection on pfsense but that doesn’t work either…
Anything else you can think of I can check?
Thanks for your help!

acme-mailcow_1 | Tue Jun 2 08:23:36 BST 2020 - Waiting for Nginx… OK
acme-mailcow_1 | Tue Jun 2 08:23:37 BST 2020 - Waiting for domain table… OK
acme-mailcow_1 | Tue Jun 2 08:23:37 BST 2020 - Initializing, please wait…
acme-mailcow_1 | Tue Jun 2 08:23:37 BST 2020 - Using existing domain rsa key /var/lib/acme/acme/key.pem
acme-mailcow_1 | Tue Jun 2 08:23:37 BST 2020 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
acme-mailcow_1 | Tue Jun 2 08:23:37 BST 2020 - Detecting IP addresses… OK
acme-mailcow_1 | Tue Jun 2 08:23:56 BST 2020 - Validated CAA for parent domain planetexpress.live
acme-mailcow_1 | Tue Jun 2 08:23:57 BST 2020 - Found A record for mail.planetexpress.live: 80.194.184.237
acme-mailcow_1 | Tue Jun 2 08:23:58 BST 2020 - Confirmed A record with IP 80.194.184.237, but HTTP validation failed
acme-mailcow_1 | Tue Jun 2 08:23:58 BST 2020 - Cannot validate any hostnames, skipping Let’s Encrypt for 1 hour.
acme-mailcow_1 | Tue Jun 2 08:23:58 BST 2020 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.
acme-mailcow_1 | OK

greenoctopus

kaushik_ray_1
Hi, no I never found a fix for this, I could not get http validation to work. what is your setup?

kaushik_ray_1

Please refer to the link below. I was able to solve the problem but in a bit different route. It explains my setup and the way i fixed it.
Thank you for your reply.

https://community.mailcow.email/d/293-help-with-reverse-proxy-setup-using-nginx-proxy-manager