SSL certs for custom MX/A records

gregwbrooks · Nov 19, 2023

Hi – moving over from Mail In A Box and loving everything about Mailcow so far.
My issue: I’ve set up about 15 domains, adding mail.{domain.tld} as an A record that also becomes the MX and is CNAME’d to autoconfig and autodiscover. Everything works in terms of sending and receiving email, but:

Outlook and other clients complain about a bad certificate when using mail.{domain.tld} for the SMTP and POP servers; and
Web traffic to mail.{domain.tld} does not have an SSL certificate.
-

I’ve modified ADDITIONAL_SAN=mail.*, restarted acme-mailcow and even brought the whole server down and back up, to no avail. Pretty sure I’m missing something basic, but can’t quite figure it out from the docs and would appreciate any help. Thanks!

DocFraggle · Nov 20, 2023

Hi, to force the ACME container to renew your certificate you need to create a file. This is what I do (of course depending on the directory where you installed mailcow):

cd /opt/mailcow-dockerized
touch data/assets/ssl/force_renew
docker compose restart acme-mailcow

To watch the log:
docker compose logs --tail=200 -f acme-mailcow

Ppiperino · Nov 20, 2023

AFAIK you can do Wildcards for mail.* . that would mean he ssl’d my own domain as well
You should rather do *.{domain.tld} and add all 15 domains to the ADDITIONAL_SAN=

DocFraggle · Nov 20, 2023

piperino I don’t get it, why would you do that instead of using mail.*?

Ppiperino · Nov 20, 2023

DocFraggle
mail.* would be sufficient to SSL every TLD starting with “mail.”. but i can be wrong of course.

At least i’ve never seen such a Wildcard.

esackbauer · Nov 20, 2023

gregwbrooks restarted acme-mailcow and even brought the whole server down and back up

did you do docker compose up -d?

DocFraggle · Nov 20, 2023

piperino it works as intended
That’s my setting:
ADDITIONAL_SAN=mail.*,sogo.*
So all my configured domains in mailcow get two additional SANs (mail.example.com and sogo.example.com) in the main certificate

Ah, I think now I understand what you meant no, it’s not the mail* wildcard ACME uses, the asterisk is just a placeholder for all domains you configured in the mailcow UI. So the final SAN will be mail.domain1.tld, mail.domain2.tld and so on

Ppiperino · Nov 20, 2023

DocFraggle
okay.
but your certs are looking like *.example.com, right? in this case maillcow/ACME is doing something.

Sorry for my ignorance and start confusing you guy’s here sorry OP
I’m also fairly new to mailcow, coming from a standalone postfix/cyrus/amavis…. system.
Mailcow is doing so many things for you out of the box where on my other system it’s some sort of “hard” work and you some sort of knowledge

DocFraggle · Nov 20, 2023

It looks like this:

plus the default SANs like autodiscover.* and autoconfig.*

sojic · May 3, 2024

I have the same requirement and problem. Any solution on this?

esackbauer · May 3, 2024

Let me guess, you haven’t had a look at the lets encrypt/ACME logs?
Have you done the force renewal as mentionied in the second posting?

sojic · May 3, 2024

esackbauer I have looked. There is no anything regarding the mail.domainB.com

Also I have tried with

cd /opt/mailcow-dockerized
touch data/assets/ssl/force_renew
docker compose restart acme-mailcow
docker compose logs --tail=200 -f acme-mailcow

esackbauer · May 3, 2024

And did you do:

docker compose down
docker compose up -d

after changing the mailcow.conf? Because normal rebooting/restarting wont apply the changes.

sojic · May 3, 2024

It seams I haven’t. I have just did, and it’s great now! Thanks!