We made a lot of progress yesterday getting the Outlook email client working, but I am having an issue with the security certificate. I think the problem is that we have 5 different domains and everything gets sent through the primary. Outlook is complaining about the certificate and MXTOOLBOX sees it but says it is not trusted (see image). There may be a different reason, but I assume it is because we are currently testing email sales@cisruubertracks.com but the email server is at gemini.cisinc-usa.com. Do I need a custom multi-domain certificate or something? I am not sure how to handle this. I think the DNS is configured correctly (see image). I have done the Force Renewal a couple of times and I think it updated but not positive.
English
Multiple domain security certificate
- Edited
You are using the default self signed certificates, that mailcow creates during first installation.
Is there a reverse proxy? Or do you use Lets Encrypt inbuilt into mailcow? Is your firewall open on ports 80 and 443?
What do the Lets Encrypt logs say?
And BTW your reverse DNS (PTR) is wrong, it should point to gemini.cisinc-usa.com
Have something to say?
Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!
Did you force the ACME container to generate the certificate as I wrote in the other thread? What’s the log output now?
- Edited
esackbauer I don’t think we have reverse proxy, just SNAT in firewall. Yes, currently I am just using the built in certificate. Where are the lets encrypt logs? I should mention I am running mailcow on Ubuntu inside a Windows Domain.
[unknown] Yes, I did a Force Renew a couple of times.
acme-mailcow-1 | Tue May 7 09:37:16 EDT 2024 - Initializing, please wait…
acme-mailcow-1 | Tue May 7 09:37:16 EDT 2024 - Using existing domain rsa key /var/lib/acme/acme/key.pem
acme-mailcow-1 | Tue May 7 09:37:16 EDT 2024 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
acme-mailcow-1 | Tue May 7 09:37:16 EDT 2024 - Detecting IP addresses…
acme-mailcow-1 | Tue May 7 09:37:37 EDT 2024 - OK: 75.137.34.69, 0000:0000:0000:0000:0000:0000:0000:0000
acme-mailcow-1 | Tue May 7 09:37:37 EDT 2024 - Found A record for autodiscover.cisinc-usa.com: 75.137.34.70
acme-mailcow-1 | Tue May 7 09:37:37 EDT 2024 - Cannot match your IP 75.137.34.69 against hostname autodiscover.cisinc-usa.com (DNS returned 75.137.34.70)
acme-mailcow-1 | Tue May 7 09:37:37 EDT 2024 - Found A record for autoconfig.cisinc-usa.com: 75.137.34.70
acme-mailcow-1 | Tue May 7 09:37:37 EDT 2024 - Cannot match your IP 75.137.34.69 against hostname autoconfig.cisinc-usa.com (DNS returned 75.137.34.70)
acme-mailcow-1 | Tue May 7 09:37:37 EDT 2024 - Found A record for autodiscover.cisrubbertracks.com: 75.137.34.69
acme-mailcow-1 | Tue May 7 09:39:52 EDT 2024 - Confirmed A record with IP 75.137.34.69, but HTTP validation failed
acme-mailcow-1 | Tue May 7 09:39:52 EDT 2024 - Found A record for autoconfig.cisrubbertracks.com: 75.137.34.69
acme-mailcow-1 | Tue May 7 09:42:07 EDT 2024 - Confirmed A record with IP 75.137.34.69, but HTTP validation failed
acme-mailcow-1 | Tue May 7 09:42:07 EDT 2024 - Found A record for GEMINI.cisinc-usa.com: 75.137.34.69
acme-mailcow-1 | Tue May 7 09:44:22 EDT 2024 - Confirmed A record with IP 75.137.34.69, but HTTP validation failed
acme-mailcow-1 | Tue May 7 09:44:22 EDT 2024 - Cannot validate any hostnames, skipping Let’s Encrypt for 1 hour.
acme-mailcow-1 | Tue May 7 09:44:22 EDT 2024 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.
esackbauer I will deal with the PTR record later. I really don’t know how I am going to get this done without disrupting our email here.
[unknown] Lets Encrypt doesn’t like my primary domain is still pointed at the old email server.
HTTP verification failed… that’s really strange, I just had a look at the script and it just curls a random file from your Nginx container. You configured your domains in the mailcow UI, right? Did you configure something special in your mailcow.conf?
No, i didn’t do anything special in the mailcow.conf. I figure it is because the cisinc-usa.com domain still point to the old email server. Do you think that is the problem? I am going to have to coordinate with my boss to do some testing on the primary domain. Is there any way to limit downtime?
- Edited
Tony95u I figure it is because the cisinc-usa.com domain still point to the old email server. Do you think that is the problem?
No, I don’t think so, as the script executes the curl command for every domain and SAN you configured separately…
Did you try to restart the whole mailcow system?
docker compose down
docker compose up -d
If this still doesn’t help you could tail the Nginx container logs while you force renew the certificate, maybe you’ll see something there
No, I did change something but can’t remember which file. It had addresses 127.0.0.1 and 127.0.1.1 and I added something like
127.0.1.1 GEMINI
I can tell you if I put gemini.cisinc-usa.com in Firefox on the Ubuntu server it won’t go anywhere. I have to put 127.0.0.1 in the browser to bring up the mailcow web page. Not sure if this is normal. Anywhere else on the network I can just enter gemini.cisinc-usa.com and acces the Web UI.
I guess you mean /etc/hosts
I suggest you remove this again! (the entry, not the file!)
- Edited
Yes, I think that was it. Thanks. Trying to find the video that had me add it
it has
127.0.0.1 localhost
127.0.1.1 GEMINI.cisinc-usa.com GEMINI
Does this matter? If I remove GEMINI then won’t GEMINI.cisinc-usa.com still point to the 127.0.1.1?
Remove the whole line, you don’t need it as long as your DNS is correct
- Edited
the tail command looks like it is stuck. Am I supposed to have to force quit it? I attached what it output. I can get to the Web UI now from the Ubuntu server with gemini.cisinc-usa.com. Does the log look any better, I think it is longer.
Looks to me like nothing changed.
I’m not sure why I can’t just change the MX record to gemini.cisrubbertracks.com, then add an A record to point gemini.cisrubbertracks.com back to my IP address
Tony95u I’m not sure if I understand what you are trying to say
Why can’t you change your DNS entries?
- Edited
DocFraggle Yes. If the email domain is cisrubbertracks.com why should I be pointing to cisinc-usa.com just because the server is located there. Seems like my MX should be gemini.cisrubbertracks.com and then an A record named gemini on cisrubbertracks.com that points to the IP of the email server. I suppose all of this is irrelevant if the Encrypt IT isn’t working though?
- Edited
Tony95u Seems like my MX should be gemini.cisrubbertracks.com and then an A record named gemini on cisrubbertracks.com that points to the IP of the email server.
As long as you don’t care about the names you can use GEMINI.cisinc-usa.com as MX for every domain, no need to create an extra A record in every zone you want to use it.
Tony95u I suppose all of this is irrelevant if the Encrypt IT isn’t working though?
Yes, unfortunately… maybe try this:
Switch to the ACME container (assuming /opt/mailcow-dockerized is your mailcow directory):
cd /opt/mailcow-dockerized; docker compose exec acme-mailcow /bin/bash
Then run these commands and paste the output:
echo test1234 > /var/www/acme/test1234
curl -v --insecure -4 -L http://autodiscover.cisrubbertracks.com/.well-known/acme-challenge/test1234
curl -v --insecure -6 -L http://autodiscover.cisrubbertracks.com/.well-known/acme-challenge/test1234
You should get an output like this (IP and domain redacted):
* Host autodiscover.amusing.de:80 was resolved.
* IPv6: (none)
* IPv4: 1.2.3.4
* Trying 1.2.3.4:80...
* Connected to autodiscover.XXXXXXXX.YYY (1.2.3.4) port 80
> GET /.well-known/acme-challenge/test1234 HTTP/1.1
> Host: autodiscover.XXXXXXXX.YYY
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.25.4
< Date: Wed, 08 May 2024 12:57:11 GMT
< Content-Type: text/plain
< Content-Length: 9
< Last-Modified: Wed, 08 May 2024 12:55:32 GMT
< Connection: keep-alive
< ETag: "663b7644-9"
< Accept-Ranges: bytes
<
test1234
* Connection #0 to host autodiscover.XXXXXXXX.YYY left intact
OK, I will try that. Right now I am disabling IPv6
- Best Answerset by Tony95u
DocFraggle I don’t think disabling IPv6 made a difference, but I was able to get a certificate by setting SKIP_HTTP_VERIFICATION=y in mailcow.conf. Outlook isn’t complaining about the new certificate unless I use an alias which I am going to try to add next. I followed this post
mailcow/mailcow-dockerized4463
but I didn’t have to disable the IP check just HTTP verification. I am inside a Windows domain and it is not possible to access local servers with their external IP addresses, at least not the way we have them configured. So I just updated mailcow.conf then
docker-compose down
service docker restart
docker-compose up -d
docker-compose logs --tail=200 -f acme-mailcow
and my cert was issued. Thanks for the help.