Fresh Installation - ACME-mailcow "Cannot match your IP against hostname"

gVes

Hi All.

My team and I have been battling to get mailcow running on our servers for the past few weeks.
Installation goes perfectly fine, but ACME-mailcow is unable to generate the certificates.
It detects our Public IP correctly, but then the A record DNS lookup reverts back to the VMs internal LAN IP.
Here are our logs, we have tried 8 times on fresh Ubuntu 22.04 installs. Any help would be greatly appreciated.

acme-mailcow-1 | 2024-04-15T06:58:11.088646840Z Mon Apr 15 09:58:11 EAT 2024 - Waiting for Docker API…
acme-mailcow-1 | 2024-04-15T06:58:11.111293170Z Mon Apr 15 09:58:11 EAT 2024 - Docker API OK
acme-mailcow-1 | 2024-04-15T06:58:11.127157703Z Mon Apr 15 09:58:11 EAT 2024 - Waiting for Postfix…
acme-mailcow-1 | 2024-04-15T06:58:11.145927392Z Mon Apr 15 09:58:11 EAT 2024 - Postfix OK
acme-mailcow-1 | 2024-04-15T06:58:11.160810560Z Mon Apr 15 09:58:11 EAT 2024 - Waiting for Dovecot…
acme-mailcow-1 | 2024-04-15T06:58:11.180074776Z Mon Apr 15 09:58:11 EAT 2024 - Dovecot OK
acme-mailcow-1 | 2024-04-15T06:58:11.271384324Z Mon Apr 15 09:58:11 EAT 2024 - Waiting for database…
acme-mailcow-1 | 2024-04-15T06:58:11.305947845Z Mon Apr 15 09:58:11 EAT 2024 - Database OK
acme-mailcow-1 | 2024-04-15T06:58:11.321035452Z Mon Apr 15 09:58:11 EAT 2024 - Waiting for Nginx…
acme-mailcow-1 | 2024-04-15T06:58:11.347624963Z Mon Apr 15 09:58:11 EAT 2024 - Nginx OK
acme-mailcow-1 | 2024-04-15T06:58:11.361708441Z Mon Apr 15 09:58:11 EAT 2024 - Waiting for resolver…
acme-mailcow-1 | 2024-04-15T06:58:11.479971547Z Mon Apr 15 09:58:11 EAT 2024 - Resolver OK
acme-mailcow-1 | 2024-04-15T06:58:11.493756001Z Mon Apr 15 09:58:11 EAT 2024 - Waiting for domain table…
acme-mailcow-1 | 2024-04-15T06:58:11.640666094Z OK
acme-mailcow-1 | 2024-04-15T06:58:11.654540698Z Mon Apr 15 09:58:11 EAT 2024 - Initializing, please wait…
acme-mailcow-1 | 2024-04-15T06:58:12.370569315Z Mon Apr 15 09:58:12 EAT 2024 - Using existing domain rsa key /var/lib/acme/acme/key.pem
acme-mailcow-1 | 2024-04-15T06:58:12.384939555Z Mon Apr 15 09:58:12 EAT 2024 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
acme-mailcow-1 | 2024-04-15T06:58:12.403864022Z Mon Apr 15 09:58:12 EAT 2024 - Detecting IP addresses…
acme-mailcow-1 | 2024-04-15T06:58:22.445191380Z Mon Apr 15 09:58:22 EAT 2024 - OK: 196.xxx.xx.xx, 0000:0000:0000:0000:0000:0000:0000:0000
acme-mailcow-1 | 2024-04-15T06:58:22.794571804Z Mon Apr 15 09:58:22 EAT 2024 - Found A record for mail.xyz.com: 10.10.1.109
acme-mailcow-1 | 2024-04-15T06:58:22.809034264Z Mon Apr 15 09:58:22 EAT 2024 - Cannot match your IP 196.xxx.xx.xx against hostname mail.xyz.com (DNS returned 10.10.1.109)
acme-mailcow-1 | 2024-04-15T06:58:22.829510734Z Mon Apr 15 09:58:22 EAT 2024 - Cannot validate any hostnames, skipping Let’s Encrypt for 1 hour.
acme-mailcow-1 | 2024-04-15T06:58:22.842764297Z Mon Apr 15 09:58:22 EAT 2024 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.
acme-mailcow-1 | 2024-04-15T06:58:22.859996359Z OK

To add more info, our network is behind a CISCO router and which is NAT-ing our public IP to the VMs Internal IP.

DocFraggle

It looks like the ACME container doesn’t resolve via Unbound (which is querying the root servers directly) but via one of your internal DNS servers. Did you somehow configure your setup this way?

EDIT: you can trace the DNS query and see what’s happening. It should look like this from inside the ACME container:

fc434d3d5680:/# dig +trace mail.domain.tld

; <<>> DiG 9.18.19 <<>> +trace mail.domain.tld
;; global options: +cmd
.                       3163    IN      NS      g.root-servers.net.
.                       3163    IN      NS      h.root-servers.net.
.                       3163    IN      NS      i.root-servers.net.
.                       3163    IN      NS      j.root-servers.net.
.                       3163    IN      NS      k.root-servers.net.
.                       3163    IN      NS      l.root-servers.net.
.                       3163    IN      NS      m.root-servers.net.
.                       3163    IN      NS      a.root-servers.net.
.                       3163    IN      NS      b.root-servers.net.
.                       3163    IN      NS      c.root-servers.net.
.                       3163    IN      NS      d.root-servers.net.
.                       3163    IN      NS      e.root-servers.net.
.                       3163    IN      NS      f.root-servers.net.
.                       3163    IN      RRSIG   NS 8 0 518400 20240427050000 20240414040000 5613 . QVByG5zgiKn8nK9n1hmwjx+sT+xn1piYxJX6M5CRPvibywVW1DwokDNE S+zF/UwfMmtffuLKI7MloM/EvsCAxTrUz1/+ksooNKH4XIGtYpVMeriu IVR5JMAglnUwvlzd5fzYRGC88gNXsAp/f11d8kogh067zrXUEDSGiXVZ ydYKnzLXcMwZSdHh8jqA+KeESAIjtLhj79FdtwJMIrz0jMWX6utzENeP qq1otsfTphVrgE4Azua6P9hT86sLqiN6Dbb5oPAYOMoFF2L+LpzIzzPl 2asyet8sRp7kiFCw5U/BmHfJTQHpcyi18E0Xj380ud9ye+fIc4d5ZOq1 dNq/og==
;; Received 525 bytes from 127.0.0.11#53(127.0.0.11) in 2 ms

tld.                     172800  IN      NS      w.dns.tld.
tld.                     172800  IN      NS      x.dns.tld.
tld.                     172800  IN      NS      y.dns.tld.
tld.                     172800  IN      NS      be.dns.tld.
tld.                     172800  IN      NS      si.dns.tld.
tld.                     86400   IN      DS      35926 8 2 89B9EF0445904E7C6074B5BECE823C3E264FBD91C103D10BDE603412 343CE70C
tld.                     86400   IN      RRSIG   DS 8 1 86400 20240428050000 20240415040000 5613 . V4dSjKsVu8KR5SjzaQSMjJV40ua1W3jq8Hw3933Y1CR36X7XoNUO+7+x dM3okKM/uiMxPz6ta/u9YscS6fec2MlO7fRpxRq4WmGmOPXlHgAwjN/a 4DDG6QwV/z9e4Vj8kOaPrjHhPrOczUvUigF/xoSU1SgzP89hhg/fCBX5 KshsaZdsToYchZTWFUMyekYxMhBL6gyB+mPKQfISDXFHs6FUiJaXsTuL a7Vd7mvzGvWKnTDQA6x9NZPbAJcVQ7WHEvg2dy9LrdgkKxAUzNm68B4L Bpy77AAeR2OOctBuoo6wFtNA51mg/QO45GP8I2L1PV+k0QH61YsunLeg tFXFrA==
;; Received 684 bytes from 192.58.128.30#53(j.root-servers.net) in 12 ms

...
...

sznees

Hey there, I have the same issue.
I executed the DNS query in the ACME container and it looks kinda the same, but what can I do, to fix this problem?
(Is it a bug or a wrong configuration?)

Dvalin21

sznees Having the same issue myself, no matter what I do.