mailcow acme will not renew the letsencrypt cert

barnybla

Hi,
my mailcow is running on an esxi server. After installation of the mailcow acme works, mailcow got a cert. But now the first renewal don’t work. I have switched “SKIP_IP_CHECK” and “SKIP_HTTP_VERIFICATION” and “ENABLE_SSL_SNI” to yes. But it don’t work. Normaly it must work, if IP CHECK is switched off.

mailcowdockerized-acme-mailcow-1 | Mon Oct 24 20:07:47 CEST 2022 - Initializing, please wait... mailcowdockerized-acme-mailcow-1 | Mon Oct 24 20:07:47 CEST 2022 - Using existing domain rsa key /var/lib/acme/acme/key.pem mailcowdockerized-acme-mailcow-1 | Mon Oct 24 20:07:47 CEST 2022 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem mailcowdockerized-acme-mailcow-1 | Mon Oct 24 20:07:47 CEST 2022 - Detecting IP addresses... mailcowdockerized-acme-mailcow-1 | Mon Oct 24 20:08:09 CEST 2022 - OK: xxx.xxx.xx.x, 0000:0000:0000:0000:0000:0000:0000:0000 mailcowdockerized-acme-mailcow-1 | Mon Oct 24 20:08:09 CEST 2022 - Found A record for autodiscover.example.com: y.x.zzz.yy mailcowdockerized-acme-mailcow-1 | Mon Oct 24 20:08:09 CEST 2022 - Cannot match your IP xxx.xxx.xx.x against hostname autodiscover.example.com (DNS returned y.x.zzz.yy) mailcowdockerized-acme-mailcow-1 | Mon Oct 24 20:08:10 CEST 2022 - Found A record for autoconfig.example.com: y.x.zzz.yy mailcowdockerized-acme-mailcow-1 | Mon Oct 24 20:08:10 CEST 2022 - Cannot match your IP xxx.xxx.xx.x against hostname autoconfig.example.com (DNS returned y.x.zzz.yy) mailcowdockerized-acme-mailcow-1 | Mon Oct 24 20:08:10 CEST 2022 - No A or AAAA record found for hostname autodiscover.example2.com mailcowdockerized-acme-mailcow-1 | Mon Oct 24 20:08:10 CEST 2022 - No A or AAAA record found for hostname autoconfig.example2.com mailcowdockerized-acme-mailcow-1 | Mon Oct 24 20:08:10 CEST 2022 - Found A record for mail2.example.com: y.x.zzz.yy mailcowdockerized-acme-mailcow-1 | Mon Oct 24 20:08:10 CEST 2022 - Cannot match your IP xxx.xxx.xx.x against hostname mail2.example.com (DNS returned y.x.zzz.yy) mailcowdockerized-acme-mailcow-1 | Mon Oct 24 20:08:10 CEST 2022 - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour. mailcowdockerized-acme-mailcow-1 | Mon Oct 24 20:08:10 CEST 2022 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently. mailcowdockerized-acme-mailcow-1 | OK
I see that acme gets the IP from the esxi server, i don’t know why. On all other vm’s on the esxi host it works perfect, they got new certs. The IP y.x.zzz.yy is the IP from the mailcow host. How checked acme the own IP address? Is there a possibility to put the right IP in the mailcow.conf file or somewhere else?

Regards
Bernd

aaronsmith

Sounds like you’re NATing the connection somewhere if acme is reporting the IP of your ESXi host vs. your VM. Does your VM have its own routable/public IP address?

If not, then likely what’s happening here is your VM is running on a different ESXi host than what your DNS record points to. You’ll want to pin the VM to the ESXi host who’s IP matches the current DNS record for “autoconfig.example.com” and try again.

barnybla

Yes the VM has an on routable/public IP address. On all other VM’s on that host the renewal of the certs will be OK. If I make a DNSLOOKUP to the IP or hostname the resulution points to the IP or hostname, and not to the IP of te esxi host. All DNS configuration is OK, and on the other VM’s it works fine.

aaronsmith

Do you have HTTP/80 port opened inbound to your VM? That’s a requirement for this process to work.

Also regarding DNS you may want to check other DNS server sources and make sure they also return the same IP for your hostname. And make sure the rDNS is proper as well.

If you’re willing, send me a private message with the hostname and expected IP address for it. I can do my own check as I under unbound for DNS.

barnybla

yes port http/80 is open