So, my SSL certificate expired and unfortunately it is not updated automatically. What I did:

  • ssh to my server
  • sudo su
  • cd /opt/mailcow-dockerized
  • docker-compose restart acme-mailcow
  • docker-compose logs --tail=200 -f acme-mailcow

And I see this:

mailcowdockerized-acme-mailcow-1  | Found domains: mail.my-main-domain.mk, autodiscover.my-main-domain.mk, autoconfig.my-main-domain.mk, autodiscover.my-second-domain.si, autoconfig.my-second-domain.si
mailcowdockerized-acme-mailcow-1  | Getting directory...
mailcowdockerized-acme-mailcow-1  | Directory found!
mailcowdockerized-acme-mailcow-1  | Registering account...
mailcowdockerized-acme-mailcow-1  | Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/xxx
mailcowdockerized-acme-mailcow-1  | Creating new order...
mailcowdockerized-acme-mailcow-1  | Order created!
mailcowdockerized-acme-mailcow-1  | Already verified: autoconfig.my-main-domain.mk, skipping...
mailcowdockerized-acme-mailcow-1  | Already verified: autodiscover.my-main-domain.mk, skipping...
mailcowdockerized-acme-mailcow-1  | Verifying autodiscover.my-second-domain.si...
mailcowdockerized-acme-mailcow-1  | Traceback (most recent call last):
mailcowdockerized-acme-mailcow-1  |   File "/usr/bin/acme-tiny", line 8, in <module>
mailcowdockerized-acme-mailcow-1  |     sys.exit(main())
mailcowdockerized-acme-mailcow-1  |   File "/usr/lib/python3.10/site-packages/acme_tiny.py", line 195, in main
mailcowdockerized-acme-mailcow-1  |     signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
mailcowdockerized-acme-mailcow-1  |   File "/usr/lib/python3.10/site-packages/acme_tiny.py", line 153, in get_crt
mailcowdockerized-acme-mailcow-1  |     raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
mailcowdockerized-acme-mailcow-1  | ValueError: Challenge did not pass for autodiscover.my-second-domain.si: {'identifier': {'type': 'dns', 'value': 'autodiscover.my-second-domain.si'}, 'status': 'invalid', 'expires': '2022-10-30T14:14:11Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': '91.xxx.xxx.xxx: Invalid response from https://my-second-domain.si/.well-known/acme-challenge/uCxxxxIY: "<!DOCTYPE html>\\n<html>\\n\\n<head>\\n\\t<meta charset=\\"utf-8\\">\\n\\t<meta http-equiv=\\"X-UA-Compatible\\" content=\\"IE=edge\\">\\n\\t<meta name=\\"viewp"', 'status': 403}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/xxx/xxx', 'token': 'uCxxxxIY', 'validationRecord': [{'url': 'http://autodiscover.my-second-domain.si/.well-known/acme-challenge/uCxxxxIY', 'hostname': 'autodiscover.my-second-domain.si', 'port': '80', 'addressesResolved': ['91.xxx.xxx.xxx'], 'addressUsed': '91.xxx.xxx.xxx'}, {'url': 'https://my-second-domain.si/.well-known/acme-challenge/uCxxxxIY', 'hostname': 'my-second-domain.si', 'port': '443', 'addressesResolved': ['91.xxx.xxx.xxx'], 'addressUsed': '91.xxx.xxx.xxx'}], 'validated': '2022-10-23T14:42:15Z'}]}
mailcowdockerized-acme-mailcow-1  | Sun Oct 23 16:42:25 CEST 2022 - Failed to obtain certificate /var/lib/acme/mail.my-main-domain.mk/cert.pem for domains 'mail.my-main-domain.mk autoconfig.my-main-domain.mk autoconfig.my-second-domain.si autodiscover.my-main-domain.mk autodiscover.my-second-domain.si'
mailcowdockerized-acme-mailcow-1  | OK
mailcowdockerized-acme-mailcow-1  | Sun Oct 23 16:42:25 CEST 2022 - Some errors occurred, retrying in 30 minutes...
mailcowdockerized-acme-mailcow-1  | OK

One of the problems is, that I have entered (via web GUI) my-second-domain.si, however, this domain is not entered into DNS (actually, DNS for this domain point to another server. Unfortunately, I can not log in to the web GUI, because SSL cert is not valid and HSTS is enabled…

But I think the main problem is, why mail.my-main-domain.mk does not get validated? in data/assets/ssl/mail.my-main-domain.mk I have cert.pem and key.pem which are valid through 2023. But it seems these files does not get copied to the correct place for acme-mailcow??

The problem is that you haven’t configured autodiscover.my-second-domain.si properly and is not correctly pointing towards your mailcow or so.

When the domain is accessed, it returns:

<!DOCTYPE html>\\n<html>\\n\\n<head>\\n\\t<meta 

But it should show any acme-challenge.

You could exclude the domain as a workaround or so.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

I was also thinking of that.
But how to do that? I can not see any reference of my-second-domain.si in config files… (in /opt/mailcow-dockerized).

It should be in mailcow.conf somewhere. In ADDITIONAL_SAN or so (don’t recall the exact name, sorry)

Actually this is weird.

In mailcow.conf I have just:

MAILCOW_HOSTNAME=mail.my-main-domain.mk

and ADDITIONAL_SAN= (is empty). No reference to my secondary domain…

No one is typing