acme-mailcow_1 // HTTP validation failed

HeyWatchOutDude

Hi,

I can’t get a LE certificate on the mailcow host.

Im using “cloudflare” as DNS provider, my settings: (Content = Static Public IP)

Command: docker-compose logs –tail=200 -f acme-mailcow
Output:

Command: iptables -S
Output:
-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N DOCKER -N DOCKER-ISOLATION-STAGE-1 -N DOCKER-ISOLATION-STAGE-2 -N DOCKER-USER -N MAILCOW -N ufw-after-forward -N ufw-after-input -N ufw-after-logging-forward -N ufw-after-logging-input -N ufw-after-logging-output -N ufw-after-output -N ufw-before-forward -N ufw-before-input -N ufw-before-logging-forward -N ufw-before-logging-input -N ufw-before-logging-output -N ufw-before-output -N ufw-reject-forward -N ufw-reject-input -N ufw-reject-output -N ufw-track-forward -N ufw-track-input -N ufw-track-output -A INPUT -j MAILCOW -A INPUT -j ufw-before-logging-input -A INPUT -j ufw-before-input -A INPUT -j ufw-after-input -A INPUT -j ufw-after-logging-input -A INPUT -j ufw-reject-input -A INPUT -j ufw-track-input -A FORWARD -j MAILCOW -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -o br-mailcow -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o br-mailcow -j DOCKER -A FORWARD -i br-mailcow ! -o br-mailcow -j ACCEPT -A FORWARD -i br-mailcow -o br-mailcow -j ACCEPT -A FORWARD -j ufw-before-logging-forward -A FORWARD -j ufw-before-forward -A FORWARD -j ufw-after-forward -A FORWARD -j ufw-after-logging-forward -A FORWARD -j ufw-reject-forward -A FORWARD -j ufw-track-forward -A OUTPUT -j ufw-before-logging-output -A OUTPUT -j ufw-before-output -A OUTPUT -j ufw-after-output -A OUTPUT -j ufw-after-logging-output -A OUTPUT -j ufw-reject-output -A OUTPUT -j ufw-track-output -A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 587 -j ACCEPT -A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 465 -j ACCEPT -A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 25 -j ACCEPT -A DOCKER -d 172.22.1.249/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 6379 -j ACCEPT -A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 12345 -j ACCEPT -A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 4190 -j ACCEPT -A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 995 -j ACCEPT -A DOCKER -d 172.22.1.15/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 3306 -j ACCEPT -A DOCKER -d 172.22.1.17/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 8983 -j ACCEPT -A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 993 -j ACCEPT -A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 143 -j ACCEPT -A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 110 -j ACCEPT -A DOCKER -d 172.22.1.16/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 443 -j ACCEPT -A DOCKER -d 172.22.1.16/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -i br-mailcow ! -o br-mailcow -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -o br-mailcow -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN -A MAILCOW -s 212.70.149.72/32 -j REJECT --reject-with icmp-port-unreachable

Command: iptables -L
Output:
`Chain INPUT (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere
ufw-before-logging-input all – anywhere anywhere
ufw-before-input all – anywhere anywhere
ufw-after-input all – anywhere anywhere
ufw-after-logging-input all – anywhere anywhere
ufw-reject-input all – anywhere anywhere
ufw-track-input all – anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ufw-before-logging-forward all – anywhere anywhere
ufw-before-forward all – anywhere anywhere
ufw-after-forward all – anywhere anywhere
ufw-after-logging-forward all – anywhere anywhere
ufw-reject-forward all – anywhere anywhere
ufw-track-forward all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all – anywhere anywhere
ufw-before-output all – anywhere anywhere
ufw-after-output all – anywhere anywhere
ufw-after-logging-output all – anywhere anywhere
ufw-reject-output all – anywhere anywhere
ufw-track-output all – anywhere anywhere

Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:submission
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:submissions
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:smtp
ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:6379
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
ACCEPT tcp – anywhere 172.22.1.15 tcp dpt:mysql
ACCEPT tcp – anywhere 172.22.1.17 tcp dpt:8983
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
ACCEPT tcp – anywhere 172.22.1.16 tcp dpt:https
ACCEPT tcp – anywhere 172.22.1.16 tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain MAILCOW (2 references)
target prot opt source destination
REJECT all – 212.70.149.72 anywhere reject-with icmp-port-unreachable`

Docker version: Docker version 20.10.7, build 20.10.7-0ubuntu5₂₀.04.2
Mailcow: up-to-date

Note:

Ports 80/443 + Mail Ports (25,465 etc.) are forwarded from the mailcow host to the WWW.
UFW is disabled on the mailcow host
OS: Ubuntu 20.04.4 LTS
LXC Container / Proxmox VE (Firewall is disabled)

Any idea what is wrong?