SSL Fails with SNI and Reverse Proxy

HDS-Admin

I have setup a mail server and its been running well. I needed anothe web server so i setup nginx according to the documentation. currently the only site that gets ssl is the FQDN of the mail server. I have tried setting up a sites-enabled for each server in the forward facing nginx, and I have also added the domain directory to the /data/assets/ssl … ive set additional san to mail.* and enabled SNI…basically I have tried a bunch of different things and nothing really works. Im not sure the documentation was complete for multiple domains. can anyone point me in the right direction?

HDS-Admin

looks like this is a validation issue. acme logs below. (logs trimmed for brevity) ..i think the re-direct to https might be part of this issue. but i honestly dont know

- Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently. 8/16/2020, 2:43:55 PM mail.example1.com - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour. 8/16/2020, 2:43:55 PM mail.example1.com - Confirmed A record with IP 69.x.xxx.xx, but HTTP validation failed 8/16/2020, 2:43:55 PM mail.example1.com - Found A record for mail.example1.com: 69.x.xxx.xx 8/16/2020, 2:43:51 PM mail.example1.com - Confirmed A record with IP 69.x.xxx.xx, but HTTP validation failed 8/16/2020, 2:43:51 PM mail.example1.com - Found A record for autodiscover.example2.com: 69.x.xxx.xx 8/16/2020, 2:43:50 PM mail.example1.com - Confirmed A record with IP 69.x.xxx.xx, but HTTP validation failed 8/16/2020, 2:43:50 PM mail.example1.com - Found A record for autoconfig.example2.com: 69.x.xxx.xx 8/16/2020, 2:43:50 PM mail.example1.com - Confirmed A record with IP 69.x.xxx.xx, but HTTP validation failed 8/16/2020, 2:43:50 PM mail.example1.com - Found A record for autodiscover.example2.com: 69.x.xxx.xx 8/16/2020, 2:43:49 PM mail.example1.com - Confirmed A record with IP 69.x.xxx.xx, but HTTP validation failed 8/16/2020, 2:43:49 PM mail.example2.com - Found A record for mail.example2.com: 69.x.xxx.xx 8/16/2020, 2:43:45 PM mail.example1.com - OK 8/16/2020, 2:43:26 PM mail.example1.com - Detecting IP addresses... 8/16/2020, 2:43:26 PM mail.example1.com - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem 8/16/2020, 2:43:26 PM mail.example1.com - Using existing domain rsa key /var/lib/acme/acme/key.pem 8/16/2020, 2:43:26 PM mail.example1.com - Initializing, please wait... 8/16/2020, 2:43:26 PM mail.example1.com - OK 8/16/2020, 2:43:26 PM mail.example1.com - Waiting for domain table... 8/16/2020, 2:43:26 PM mail.example1.com - OK 8/16/2020, 2:43:26 PM mail.example1.com - Waiting for Nginx... 8/16/2020, 2:43:26 PM mail.example1.com - OK 8/16/2020, 2:43:26 PM mail.example1.com - Waiting for database... 8/16/2020, 2:43:26 PM mail.example1.com - OK 8/16/2020, 2:43:26 PM mail.example1.com - Waiting for Docker API...

diekuh

Hi,

You don’t need SNI for this. But anyway…

You might want to check the reverse proxy config again or post it.

HDS-Admin

diekuh hey diekuh. Thanks for the reply. attempting SNI and induvidual configs was sort of a last ditch effort to get it working. I never could get it so I reinstalled back to a working default install and thats where I am now.

could you give me a little more information on where to create the autoconfig/autodiscover? I dont want to make incorrect assumptions and break this again as its already being used for production.

diekuh

It is also not necessary to create a config for every single domain on your reverse proxy. That’s not mentioned in the docs either. It covers “mailcow_hostname, autoconfig.* and autodiscover.*” in a single site. You need to do that with SNI, yes (see docs), but why even bother with SNI when you can handle the names more easily on your reverse proxy?

Just create a autoconfig.bla and autodiscover.bla site for each domain (as you do now, I think) and one for MAILCOW_HOSTNAME. Let your reverse proxy and a certbot handle the certificates.