Mailcow have lost its SSL and doesn't renew it.

comfuzio

Hi everybody, I have my mailcow server up and running for like 1 year now? Maybe even more.
I never had prior to this problem with the SSL.
Anyway, I try to open my outlook client and I get the “trust this cert” message, I have tried to go the web ui, from Chrome I can’t access it but I can via firefox.
I googled about this and found few articles but didn’t help much.
My setup is at hetzner a dedicated server running proxmox and there I have pfsense with a few extra IPs.
I have added those IPs into my pfsense and I have set a specific one for mailcow, also made rules so when it sends mails, to send them via this IP and not the primary, otherwise gmail mostly rejected my emails.

Mailcow is full updated and I will post my commands:
$ cd /opt/mailcow-dockerized
$ docker compose restart acme-mailcow
$ docker compose logs –tail=200 -f acme-mailcow

from which i take those replies:
root@MailCow:/opt/mailcow-dockerized# docker compose logs –tail=200 -f acme-mailcow
acme-mailcow-1 | Mon Feb 26 09:05:05 EET 2024 - Waiting for Docker API…
acme-mailcow-1 | Mon Feb 26 09:05:05 EET 2024 - Docker API OK
acme-mailcow-1 | Mon Feb 26 09:05:05 EET 2024 - Waiting for Postfix…
acme-mailcow-1 | ping: bad address ‘postfix’
acme-mailcow-1 | Mon Feb 26 09:05:06 EET 2024 - Postfix OK
acme-mailcow-1 | Mon Feb 26 09:05:06 EET 2024 - Waiting for Dovecot…
acme-mailcow-1 | Mon Feb 26 09:05:06 EET 2024 - Dovecot OK
acme-mailcow-1 | Mon Feb 26 09:05:06 EET 2024 - Waiting for database…
acme-mailcow-1 | Mon Feb 26 09:05:06 EET 2024 - Database OK
acme-mailcow-1 | Mon Feb 26 09:05:06 EET 2024 - Waiting for Nginx…
acme-mailcow-1 | Mon Feb 26 09:05:06 EET 2024 - Nginx OK
acme-mailcow-1 | Mon Feb 26 09:05:06 EET 2024 - Waiting for resolver…
acme-mailcow-1 | Mon Feb 26 09:05:06 EET 2024 - Resolver OK
acme-mailcow-1 | Mon Feb 26 09:05:06 EET 2024 - Waiting for domain table…
acme-mailcow-1 | OK
acme-mailcow-1 | Mon Feb 26 09:05:06 EET 2024 - Initializing, please wait…
acme-mailcow-1 | Could not read certificate from <stdin>
acme-mailcow-1 | Could not read certificate from <stdin>
acme-mailcow-1 | Mon Feb 26 09:05:06 EET 2024 - Using existing domain rsa key /var/lib/acme/acme/key.pem
acme-mailcow-1 | Mon Feb 26 09:05:06 EET 2024 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
acme-mailcow-1 | Mon Feb 26 09:05:06 EET 2024 - Detecting IP addresses…
acme-mailcow-1 | Mon Feb 26 09:05:28 EET 2024 - OK: 65.109.XX.XX, 0000:0000:0000:0000:0000:0000:0000:0000
acme-mailcow-1 | Mon Feb 26 09:05:35 EET 2024 - No A or AAAA record found for hostname imap.adomain.eu
acme-mailcow-1 | Mon Feb 26 09:05:37 EET 2024 - Found A record for autodiscover.adomain.eu: 65.109.XX.XX
acme-mailcow-1 | Mon Feb 26 09:05:55 EET 2024 - Confirmed A record with IP 65.109.XX.XX, but HTTP validation failed

The thing is, it never asked me to add an A record for imap.* so out of the 20 domains attached to my mailcow 0 have that record in CloudFlare, but ok I went there and I have added the A record for all domains.
I am getting the exact same error!
All the ports listed by mailcow are open with NAT to the correct internal IP of the MailCow VM.

Any suggestions?

Kind regards,
George

Ok I haven’t googled about the “HTTP validation failed” by doing so I have found this mailcow/mailcow-dockerized4463
And I did now:
$ nano mailcow.conf
SKIP_IP_CHECK=y
SKIP_HTTP_VERIFICATION=y

$ docker compose down
$ service docker restart
$ docker compose up -d
$ docker compose logs –tail=200 -f acme-mailcow

It seems to be moving, while before it would stuck forever in the first alphabetical domain and maaaybe after 30 mins move to 2nd and so on.

So the question is: what changed out of nowhere and it needed this change in the .conf?

DocFraggle

What’s in your ADDITIONAL_SAN variable in your mailcow.conf? I checked the acme.sh script, it iterates over this variable and checks if the A records are present.

EDIT: to clarify, if you have configured this variable:

ADDITIONAL_SAN=imap.*,smtp.*

then ACME checks for imap.yourdomain.com and smtp.yourdomain.com as well

comfuzio

DocFraggle
I am sorry for the long delay, didn’t see I had a reply!
From my mailcow.conf
ADDITIONAL_SAN=imap.*,
just that, no smtp

DocFraggle

comfuzio well, somehow the “imap.*” was added by you, as this line is empty per default… if you don’t want the imap prefix, reset it to

ADDITIONAL_SAN=

If you keep it, remove the comma (,) at the end of the line and make sure you have the correct A or CNAME records in your DNS config

You can restart the ACME process: https://docs.mailcow.email/post_installation/firststeps-ssl/?h=touch#force-renewal

comfuzio

DocFraggle
I have removed the imap.*, entirely since I can’t recall ever adding it there!
I am thinking of moving that server to arm64 vm in hetzner with 8gb ram.
Is the migration an easy process?
Prior to that the only change I had made to this VM was that I had on it directly a true IP and I was getting hammered by attacks, then just added the IP behind pfsense and added that vm to the lan side of pfsense which has drastically reduced all the attacks.

rbrunka

Probably it is a network issue.

If your server is behind NAT some routers are blocking the connections to your public IPs and the forwarding back to your server doesn’t work, you can get something like: “Confirmed A record with IP 65.109.XX.XX, but HTTP validation failed”

You have two ways:

configure the firewall rules
(simplest) add your public IP to your loopback interface:
ip a a 65.109.XX.XX/32 dev lo

After that mailcow acme can connect back to your server and you will get the certs.