Lets Encrypt suddenly stops working.

MMrYoshii · Aug 8, 2022

Hi since 3 days the LE renewal does not work anymore.
It worked for over one year.
Its the same error every time but its always a other hostname.

mailcowdockerized-acme-mailcow-1 | ValueError: Challenge did not pass for autoconfig.domain.com: {'identifier': {'type': 'dns', 'value': 'autoconfig.domain.com'}, 'status': 'invalid', 'expires': '2022-08-15T14:09:23Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:connection', 'detail': 'IP: Fetching http://autoconfig.domain.com/.well-known/acme-challenge/secredkey: Connection refused', 'status': 400},

it worked before an i down´t know why it stopped. i did not change a thing.
Does anyone have an idea?

MMrYoshii · Aug 8, 2022

mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:27 CEST 2022 - Using existing domain rsa key /var/lib/acme/acme/key.pem
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:27 CEST 2022 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:27 CEST 2022 - Detecting IP addresses...
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:37 CEST 2022 - OK: myip, 0000:0000:0000:0000:0000:0000:0000:0000
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:37 CEST 2022 - Found A record for autodiscover.domain.com: myip
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:37 CEST 2022 - Confirmed A record with IP myip, but HTTP validation failed
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:37 CEST 2022 - Found A record for autoconfig.domain.com: myip
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:37 CEST 2022 - Confirmed A record with IP myip, but HTTP validation failed
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:37 CEST 2022 - Found A record for autodiscover.domain.com: myip
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:37 CEST 2022 - Confirmed A record with IP myip, but HTTP validation failed
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:37 CEST 2022 - Found A record for autoconfig.domain.com: myip
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:37 CEST 2022 - Confirmed A record with IP myip, but HTTP validation failed
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:37 CEST 2022 - Found A record for autodiscover.domain.com: myip
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:37 CEST 2022 - Confirmed A record with IP myip, but HTTP validation failed
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:37 CEST 2022 - Found A record for autoconfig.domain.com: myip
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:37 CEST 2022 - Confirmed A record with IP myip, but HTTP validation failed
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:38 CEST 2022 - Found A record for mail.domain.com: myip
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:38 CEST 2022 - Confirmed A record with IP myip, but HTTP validation failed
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:38 CEST 2022 - Found A record for mail.domain.com: myip
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:38 CEST 2022 - Confirmed A record with IP myip, but HTTP validation failed
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:38 CEST 2022 - Found A record for mail.domain.com: myip
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:38 CEST 2022 - Confirmed A record with IP myip, but HTTP validation failed
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:38 CEST 2022 - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour.
mailcowdockerized-acme-mailcow-1  | Mon Aug  8 19:35:38 CEST 2022 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.
mailcowdockerized-acme-mailcow-1  | OK

MMrYoshii · Aug 8, 2022

I just can’t figure out what the problem is.

heavygale · Aug 8, 2022

Do you use a reverse proxy or is the cow is alone in the meadow?

MMrYoshii · Aug 8, 2022

heavygale hi the cow is solo

heavygale · Aug 8, 2022

Hmm, updated to latest version? nginx running, no errors?

MMrYoshii · Aug 8, 2022

heavygale yes i can connect to the ui and under /debug everything is green

MMrYoshii · Aug 8, 2022

i can connect to this http://autoconfig.domain.com/.well-known/acme-challenge/akjgsdbvfjklasdbvfo3yH8YqfNVoj9B-4GWykXIUhWt28hIqgk

autoconfig.domain.com

http://autoconfig.domain.com/.well-known/acme-challenge/akjgsdbvfjklasdbvfo3yH8YqfNVoj9B-4GWykXIUhWt28hIqgk

No preview could be generated for this link

url with my browser

heavygale · Aug 9, 2022

Maybe it’s a IPv6 vs IPv4 issue? Do both A and AAAA Records point to your server and do both work?

MMrYoshii · Aug 9, 2022

i dont use IPv6 and i did not change anything. also the url is working from random computers. so dns settings should be correct.

MMrYoshii · Aug 9, 2022

Found the problem.
in the mailcow.conf was localhost set as ip for port 80 for port 443 it was correct.

changed it now its working.

AudiWolf · Aug 10, 2022

MrYoshii I don’t understand the fix, waht in detail have you done? Since a few days i get also the same issue like it was written above. Please help me out.

AudiWolf · Aug 10, 2022

AudiWolf MrYoshii I don’t understand the fix, what in detail have you done? Since a few days I get also the following issue. Before everything was working fine. Please help me out.
10.08.2022, 23:41:12 mail.domain.tld - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently. 10.08.2022, 23:41:12 mail.domain.tld - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour. 10.08.2022, 23:41:12 mail.domain.tld - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname mail.domain.tld (DNS returned XXXX:YYYY:XXXX:YYYY:0000:0000:0000:0001) 10.08.2022, 23:41:12 mail.domain.tld - Found AAAA record for mail.domain.tld: 2a01:4f8:1c1e:d0ba::1 - skipping A record check 10.08.2022, 23:41:12 mail.domain.tld - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname autoconfig.domain.tld (DNS returned XXXX:YYYY:XXXX:YYYY:0000:0000:0000:0001) 10.08.2022, 23:41:12 mail.domain.tld - Found AAAA record for autoconfig.domain.tld: 2a01:4f8:1c1e:d0ba::1 - skipping A record check 10.08.2022, 23:41:12 mail.domain.tld - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname autodiscover.domain.tld (DNS returned XXXX:YYYY:XXXX:YYYY:0000:0000:0000:0001) 10.08.2022, 23:41:12 mail.domain.tld - Found AAAA record for autodiscover.domain.tld: 2a01:4f8:1c1e:d0ba::1 - skipping A record check 10.08.2022, 23:41:12 mail.domain.tld - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname mta-sts.domain.tld (DNS returned XXXX:YYYY:XXXX:YYYY:0000:0000:0000:0001) 10.08.2022, 23:41:12 mail.domain.tld - Found AAAA record for mta-sts.domain.tld: 2a01:4f8:1c1e:d0ba::1 - skipping A record check 10.08.2022, 23:41:12 mail.domain.tld - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname autoconfig.domain.tld (DNS returned XXXX:YYYY:XXXX:YYYY:0000:0000:0000:0001) 10.08.2022, 23:41:11 mail.domain.tld - Found AAAA record for autoconfig.domain.tld: 2a01:4f8:1c1e:d0ba::1 - skipping A record check 10.08.2022, 23:41:11 mail.domain.tld - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname autodiscover.domain.tld (DNS returned XXXX:YYYY:XXXX:YYYY:0000:0000:0000:0001) 10.08.2022, 23:41:11 mail.domain.tld - Found AAAA record for autodiscover.domain.tld: 2a01:4f8:1c1e:d0ba::1 - skipping A record check 10.08.2022, 23:41:11 mail.domain.tld - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname mta-sts.domain.tld (DNS returned XXXX:YYYY:XXXX:YYYY:0000:0000:0000:0001) 10.08.2022, 23:41:11 mail.domain.tld - Found AAAA record for mta-sts.domain.tld: 2a01:4f8:1c1e:d0ba::1 - skipping A record check 10.08.2022, 23:41:11 mail.domain.tld - OK: abc.def.efg.hij, 0000:0000:0000:0000:0000:0000:0000:0000 10.08.2022, 23:40:32 mail.domain.tld - Detecting IP addresses... 10.08.2022, 23:40:32 mail.domain.tld - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem 10.08.2022, 23:40:32 mail.domain.tld - Using existing domain rsa key /var/lib/acme/acme/key.pem 10.08.2022, 23:40:32 mail.domain.tld - Initializing, please wait... 10.08.2022, 23:40:32 mail.domain.tld - OK

MMrYoshii · Aug 11, 2022

AudiWolf hi in the mailcow.conf
for me it was like this:

HTTP_PORT=80
HTTP_BIND=127.0.0.1

HTTPS_PORT=443
HTTPS_BIND=144.76.60.71

and after i changed it to:

HTTP_PORT=80
HTTP_BIND=144.76.60.71

HTTPS_PORT=443
HTTPS_BIND=144.76.60.71

and after a restart it did work again.

AudiWolf · Aug 11, 2022

MrYoshii Thanks for the quick answer. In my case this doesn’t help. Anyy other ideas?

MMrYoshii · Aug 11, 2022

AudiWolf you can try to set SKIP_IP_CHECK=y in the config. Your error is"Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname mta-sts.domain.tld (DNS returned XXXX:YYYY:XXXX:YYYY:0000:0000:0000:0001)" Or maybe your dns settings are not correct.

AudiWolf · Aug 11, 2022

MrYoshii It was perfectly working fine before.

7Unci7 · Jan 9, 2024

Hi,
just saw your post.
Helped me a lot.
Couldn’t renew Cert.
After i read the answers, i tried to disable ipv6. and it worked for me.
Just follow step 1. here :
Disable IPv6 - mailcow: dockerized documentation

docs.mailcow.email

Disable IPv6 - mailcow: dockerized documentation

None

then
docker compose down
docker compose up -d

Finally the cert was created new with a few errors on ipv6.
After that i just did the same and activated ipv6 again.
And now the whole process worked fine.

I know it is a old post, but maybe someone else finds this post and can also solve there problem.