SSL certs for custom MX/A records

gregwbrooks

Hi – moving over from Mail In A Box and loving everything about Mailcow so far.
My issue: I’ve set up about 15 domains, adding mail.{domain.tld} as an A record that also becomes the MX and is CNAME’d to autoconfig and autodiscover. Everything works in terms of sending and receiving email, but:

Outlook and other clients complain about a bad certificate when using mail.{domain.tld} for the SMTP and POP servers; and
Web traffic to mail.{domain.tld} does not have an SSL certificate.
-

I’ve modified ADDITIONAL_SAN=mail.*, restarted acme-mailcow and even brought the whole server down and back up, to no avail. Pretty sure I’m missing something basic, but can’t quite figure it out from the docs and would appreciate any help. Thanks!

esackbauer

gregwbrooks restarted acme-mailcow and even brought the whole server down and back up

did you do docker compose up -d?

DocFraggle

Hi, to force the ACME container to renew your certificate you need to create a file. This is what I do (of course depending on the directory where you installed mailcow):

cd /opt/mailcow-dockerized
touch data/assets/ssl/force_renew
docker compose restart acme-mailcow

To watch the log:
docker compose logs --tail=200 -f acme-mailcow

piperino

AFAIK you can do Wildcards for mail.* . that would mean he ssl’d my own domain as well🙂
You should rather do *.{domain.tld} and add all 15 domains to the ADDITIONAL_SAN=

DocFraggle

piperino I don’t get it, why would you do that instead of using mail.*?

piperino

DocFraggle
mail.* would be sufficient to SSL every TLD starting with “mail.”. but i can be wrong of course.

At least i’ve never seen such a Wildcard. 🙂

DocFraggle

piperino it works as intended 🙂
That’s my setting:
ADDITIONAL_SAN=mail.*,sogo.*
So all my configured domains in mailcow get two additional SANs (mail.example.com and sogo.example.com) in the main certificate

Ah, I think now I understand what you meant 😃 no, it’s not the mail* wildcard ACME uses, the asterisk is just a placeholder for all domains you configured in the mailcow UI. So the final SAN will be mail.domain1.tld, mail.domain2.tld and so on

piperino

DocFraggle
okay.
but your certs are looking like *.example.com, right? in this case maillcow/ACME is doing something.

Sorry for my ignorance and start confusing you guy’s here🙂 sorry OP
I’m also fairly new to mailcow, coming from a standalone postfix/cyrus/amavis…. system.
Mailcow is doing so many things for you out of the box where on my other system it’s some sort of “hard” work and you some sort of knowledge🙂

DocFraggle

It looks like this:

plus the default SANs like autodiscover.* and autoconfig.*

sojic

I have the same requirement and problem. Any solution on this?

esackbauer

Let me guess, you haven’t had a look at the lets encrypt/ACME logs?
Have you done the force renewal as mentionied in the second posting?

sojic

esackbauer I have looked. There is no anything regarding the mail.domainB.com

Also I have tried with

cd /opt/mailcow-dockerized
touch data/assets/ssl/force_renew
docker compose restart acme-mailcow
docker compose logs --tail=200 -f acme-mailcow

esackbauer

And did you do:

docker compose down
docker compose up -d

after changing the mailcow.conf? Because normal rebooting/restarting wont apply the changes.

sojic

It seams I haven’t. I have just did, and it’s great now! Thanks!