ACME - Problem with renewing SSL certificate

mickeypl

Hi,

I have my email server with MailCow. It is set on VPS.
This server serves several of my domains and several email accounts.

A few days ago my SSL certificate expired. I was convinced that MailCow would renew it automatically, but it didn’t.

I wanted to do it manually, but I have a lot of errors that I don’t really know how to deal with. The log is under the post.

Currently, I do not have access to emails because after entering the address in the browser I receive the error:
You cannot visit mail.myserverdomain.co.uk right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

The latest version of MailCow. I did an update on April 19th

Log from SSL certificate renewal:

root@mail:/opt/mailcow-dockerized# docker-compose restart acme-mailcow && docker-compose logs -f --tail=100 acme-mailcow [+] Restarting 1/1 ✔ Container mailcowdockerized-acme-mailcow-1 Started 0.5s acme-mailcow-1 | Sun May 12 09:36:28 BST 2024 - Certificate /var/lib/acme/mail.myserverdomain.co.uk/cert.pem is due for renewal (< 30 days) - start renewing acme-mailcow-1 | Sun May 12 09:36:28 BST 2024 - Creating backups in /var/lib/acme/backups/mail.myserverdomain.co.uk/2024-05-12_09_36_28 ... acme-mailcow-1 | Sun May 12 09:36:28 BST 2024 - Checking resolver... acme-mailcow-1 | Sun May 12 09:36:28 BST 2024 - Resolver OK acme-mailcow-1 | Sun May 12 09:36:28 BST 2024 - Using command acme-tiny --account-key /var/lib/acme/acme/account.pem --disable-check --csr /var/lib/acme/mail.myserverdomain.co.uk/acme.csr --acme-dir /var/www/acme/ acme-mailcow-1 | Parsing account key... acme-mailcow-1 | Parsing CSR... acme-mailcow-1 | Found domains: mail.myserverdomain.co.uk acme-mailcow-1 | Getting directory... acme-mailcow-1 | Directory found! acme-mailcow-1 | Registering account... acme-mailcow-1 | Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/1xxxx10026 acme-mailcow-1 | Creating new order... acme-mailcow-1 | Order created! acme-mailcow-1 | Verifying mail.myserverdomain.co.uk... acme-mailcow-1 | Traceback (most recent call last): acme-mailcow-1 | File "/usr/bin/acme-tiny", line 8, in <module> acme-mailcow-1 | sys.exit(main()) acme-mailcow-1 | ^^^^^^ acme-mailcow-1 | File "/usr/lib/python3.11/site-packages/acme_tiny.py", line 195, in main acme-mailcow-1 | signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port) acme-mailcow-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ acme-mailcow-1 | File "/usr/lib/python3.11/site-packages/acme_tiny.py", line 153, in get_crt acme-mailcow-1 | raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization)) acme-mailcow-1 | ValueError: Challenge did not pass for mail.myserverdomain.co.uk: {'identifier': {'type': 'dns', 'value': 'mail.myserverdomain.co.uk'}, 'status': 'invalid', 'expires': '2024-05-19T08:36:32Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:connection', 'detail': '5.xxx.xxx.12: Fetching http://mail.myserverdomain.co.uk/.well-known/acme-challenge/0JwQCRe6sq6WxxxxcwXsR35xxxConwUxxxrd6v-Bkpu0s: Timeout during connect (likely firewall problem)', 'status': 400}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/34xxxxx525527/QoBS1A', 'token': '0JwQCRe6sq6WxxxxxxxxxxXsR35pteConwURrd6v-Bkpu0s', 'validationRecord': [{'url': 'http://mail.myserverdomain.co.uk/.well-known/acme-challenge/0JxxxxxxtHcwXsR35pteConwURrd6v-Bkpu0s', 'hostname': 'mail.myserverdomain.co.uk', 'port': '80', 'addressesResolved': ['5.xxx.xxx.12'], 'addressUsed': '5.xxx.xxx.12'}], 'validated': '2024-05-12T08:36:34Z'}]} acme-mailcow-1 | Sun May 12 09:36:46 BST 2024 - Failed to obtain certificate /var/lib/acme/mail.myserverdomain.co.uk/cert.pem for domains 'mail.myserverdomain.co.uk' acme-mailcow-1 | OK acme-mailcow-1 | Sun May 12 09:36:46 BST 2024 - Some errors occurred, retrying in 30 minutes... acme-mailcow-1 | OK acme-mailcow-1 | Sun May 12 10:06:46 BST 2024 - Waiting for Docker API... acme-mailcow-1 | Sun May 12 10:06:46 BST 2024 - Docker API OK acme-mailcow-1 | Sun May 12 10:06:46 BST 2024 - Waiting for Postfix... acme-mailcow-1 | Sun May 12 10:06:46 BST 2024 - Postfix OK acme-mailcow-1 | Sun May 12 10:06:46 BST 2024 - Waiting for Dovecot... acme-mailcow-1 | Sun May 12 10:06:46 BST 2024 - Dovecot OK acme-mailcow-1 | Sun May 12 10:06:46 BST 2024 - Waiting for database... acme-mailcow-1 | Sun May 12 10:06:46 BST 2024 - Database OK acme-mailcow-1 | Sun May 12 10:06:46 BST 2024 - Waiting for Nginx... acme-mailcow-1 | Sun May 12 10:06:46 BST 2024 - Nginx OK acme-mailcow-1 | Sun May 12 10:06:46 BST 2024 - Waiting for resolver... acme-mailcow-1 | Sun May 12 10:06:46 BST 2024 - Resolver OK acme-mailcow-1 | Sun May 12 10:06:46 BST 2024 - Waiting for domain table... acme-mailcow-1 | OK acme-mailcow-1 | Sun May 12 10:06:46 BST 2024 - Initializing, please wait... acme-mailcow-1 | Sun May 12 10:06:47 BST 2024 - Using existing domain rsa key /var/lib/acme/acme/key.pem acme-mailcow-1 | Sun May 12 10:06:47 BST 2024 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem acme-mailcow-1 | Sun May 12 10:06:47 BST 2024 - Detecting IP addresses... acme-mailcow-1 | Sun May 12 10:07:06 BST 2024 - OK: 5.xxx.xxx.12, 0000:0000:0000:0000:0000:0000:0000:0000 acme-mailcow-1 | Sun May 12 10:07:13 BST 2024 - No A or AAAA record found for hostname autodiscover.domain1.pl acme-mailcow-1 | Sun May 12 10:07:13 BST 2024 - No A or AAAA record found for hostname autoconfig.domain1.pl acme-mailcow-1 | Sun May 12 10:07:18 BST 2024 - No A or AAAA record found for hostname autodiscover.myserverdomain.co.uk acme-mailcow-1 | Sun May 12 10:07:18 BST 2024 - No A or AAAA record found for hostname autoconfig.myserverdomain.co.uk acme-mailcow-1 | Sun May 12 10:07:21 BST 2024 - No A or AAAA record found for hostname autodiscover.domain2.co.uk acme-mailcow-1 | Sun May 12 10:07:21 BST 2024 - No A or AAAA record found for hostname autoconfig.domain2.co.uk acme-mailcow-1 | Sun May 12 10:07:22 BST 2024 - No A or AAAA record found for hostname autodiscover.domain3.co.uk acme-mailcow-1 | Sun May 12 10:07:24 BST 2024 - No A or AAAA record found for hostname autoconfig.domain3.co.uk acme-mailcow-1 | Sun May 12 10:07:25 BST 2024 - No A or AAAA record found for hostname autodiscover.domain4.co.uk acme-mailcow-1 | Sun May 12 10:07:26 BST 2024 - No A or AAAA record found for hostname autoconfig.domain4.co.uk acme-mailcow-1 | Sun May 12 10:07:26 BST 2024 - Found A record for mail.myserverdomain.co.uk: 5.xxx.xxx.12 acme-mailcow-1 | Sun May 12 10:07:26 BST 2024 - Confirmed A record 5.xxx.xxx.12 acme-mailcow-1 | Sun May 12 10:07:26 BST 2024 - Certificate /var/lib/acme/mail.myserverdomain.co.uk/cert.pem is due for renewal (< 30 days) - start renewing acme-mailcow-1 | Sun May 12 10:07:26 BST 2024 - Creating backups in /var/lib/acme/backups/mail.myserverdomain.co.uk/2024-05-12_10_07_26 ... acme-mailcow-1 | Sun May 12 10:07:26 BST 2024 - Checking resolver... acme-mailcow-1 | Sun May 12 10:07:27 BST 2024 - Resolver OK acme-mailcow-1 | Sun May 12 10:07:27 BST 2024 - Using command acme-tiny --account-key /var/lib/acme/acme/account.pem --disable-check --csr /var/lib/acme/mail.myserverdomain.co.uk/acme.csr --acme-dir /var/www/acme/ acme-mailcow-1 | Parsing account key... acme-mailcow-1 | Parsing CSR... acme-mailcow-1 | Found domains: mail.myserverdomain.co.uk acme-mailcow-1 | Getting directory... acme-mailcow-1 | Directory found! acme-mailcow-1 | Registering account... acme-mailcow-1 | Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/1xxxxx0026 acme-mailcow-1 | Creating new order... acme-mailcow-1 | Order created! acme-mailcow-1 | Verifying mail.myserverdomain.co.uk... acme-mailcow-1 | Traceback (most recent call last): acme-mailcow-1 | File "/usr/bin/acme-tiny", line 8, in <module> acme-mailcow-1 | sys.exit(main()) acme-mailcow-1 | ^^^^^^ acme-mailcow-1 | File "/usr/lib/python3.11/site-packages/acme_tiny.py", line 195, in main acme-mailcow-1 | signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port) acme-mailcow-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ acme-mailcow-1 | File "/usr/lib/python3.11/site-packages/acme_tiny.py", line 153, in get_crt acme-mailcow-1 | raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization)) acme-mailcow-1 | ValueError: Challenge did not pass for mail.myserverdomain.co.uk: {'identifier': {'type': 'dns', 'value': 'mail.myserverdomain.co.uk'}, 'status': 'invalid', 'expires': '2024-05-19T09:07:30Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:connection', 'detail': '5.xxx.xxx.12: Fetching http://mail.myserverdomain.co.uk/.well-known/acme-challenge/6GUExxxxxxxsxxxq-PWI2xxxxxxxxr92ZEFLrScTq-mQ: Timeout during connect (likely firewall problem)', 'status': 400}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/349xxxxxxx897/hpd0rg', 'token': '6GUxxxxxxPdsq-PWI2dxxxxxxxxxxFLrScTq-mQ', 'validationRecord': [{'url': 'http://mail.myserverdomain.co.uk/.well-known/acme-challenge/6GUExxxxxxxxxxq-PWI2xxxxxxxxxxxxx2ZEFLrScTq-mQ', 'hostname': 'mail.myserverdomain.co.uk', 'port': '80', 'addressesResolved': ['5.xxx.xxx.12'], 'addressUsed': '5.xxx.xxx.12'}], 'validated': '2024-05-12T09:07:32Z'}]} acme-mailcow-1 | Sun May 12 10:07:45 BST 2024 - Failed to obtain certificate /var/lib/acme/mail.myserverdomain.co.uk/cert.pem for domains 'mail.myserverdomain.co.uk' acme-mailcow-1 | OK acme-mailcow-1 | Sun May 12 10:07:45 BST 2024 - Some errors occurred, retrying in 30 minutes... acme-mailcow-1 | OK acme-mailcow-1 | Sun May 12 10:31:52 BST 2024 - Waiting for Docker API... acme-mailcow-1 | Sun May 12 10:31:52 BST 2024 - Docker API OK acme-mailcow-1 | Sun May 12 10:31:52 BST 2024 - Waiting for Postfix... acme-mailcow-1 | Sun May 12 10:31:52 BST 2024 - Postfix OK acme-mailcow-1 | Sun May 12 10:31:52 BST 2024 - Waiting for Dovecot... acme-mailcow-1 | Sun May 12 10:31:52 BST 2024 - Dovecot OK acme-mailcow-1 | Sun May 12 10:31:52 BST 2024 - Waiting for database... acme-mailcow-1 | Sun May 12 10:31:52 BST 2024 - Database OK acme-mailcow-1 | Sun May 12 10:31:52 BST 2024 - Waiting for Nginx... acme-mailcow-1 | Sun May 12 10:31:52 BST 2024 - Nginx OK acme-mailcow-1 | Sun May 12 10:31:52 BST 2024 - Waiting for resolver... acme-mailcow-1 | Sun May 12 10:31:54 BST 2024 - Resolver OK acme-mailcow-1 | Sun May 12 10:31:54 BST 2024 - Waiting for domain table... acme-mailcow-1 | OK acme-mailcow-1 | Sun May 12 10:31:54 BST 2024 - Initializing, please wait... acme-mailcow-1 | Sun May 12 10:31:54 BST 2024 - Using existing domain rsa key /var/lib/acme/acme/key.pem acme-mailcow-1 | Sun May 12 10:31:54 BST 2024 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem acme-mailcow-1 | Sun May 12 10:31:54 BST 2024 - Detecting IP addresses... acme-mailcow-1 | Sun May 12 10:32:17 BST 2024 - OK: 5.xxx.xxx.12, 0000:0000:0000:0000:0000:0000:0000:0000 acme-mailcow-1 | Sun May 12 10:32:19 BST 2024 - No A or AAAA record found for hostname autodiscover.domain1.pl acme-mailcow-1 | Sun May 12 10:32:21 BST 2024 - No A or AAAA record found for hostname autoconfig.domain1.pl acme-mailcow-1 | Sun May 12 10:32:23 BST 2024 - No A or AAAA record found for hostname autodiscover.myserverdomain.co.uk acme-mailcow-1 | Sun May 12 10:32:24 BST 2024 - No A or AAAA record found for hostname autoconfig.myserverdomain.co.uk acme-mailcow-1 | Sun May 12 10:32:27 BST 2024 - No A or AAAA record found for hostname autodiscover.domain2.co.uk acme-mailcow-1 | Sun May 12 10:32:28 BST 2024 - No A or AAAA record found for hostname autoconfig.domain2.co.uk acme-mailcow-1 | Sun May 12 10:32:28 BST 2024 - No A or AAAA record found for hostname autodiscover.domain3.co.uk acme-mailcow-1 | Sun May 12 10:32:29 BST 2024 - No A or AAAA record found for hostname autoconfig.domain3.co.uk acme-mailcow-1 | Sun May 12 10:32:32 BST 2024 - No A or AAAA record found for hostname autodiscover.domain4.co.uk acme-mailcow-1 | Sun May 12 10:32:33 BST 2024 - No A or AAAA record found for hostname autoconfig.domain4.co.uk acme-mailcow-1 | Sun May 12 10:32:34 BST 2024 - Found A record for mail.myserverdomain.co.uk: 5.xxx.xxx.12 acme-mailcow-1 | Sun May 12 10:32:34 BST 2024 - Confirmed A record 5.xxx.xxx.12 acme-mailcow-1 | Sun May 12 10:32:34 BST 2024 - Certificate /var/lib/acme/mail.myserverdomain.co.uk/cert.pem is due for renewal (< 30 days) - start renewing acme-mailcow-1 | Sun May 12 10:32:34 BST 2024 - Creating backups in /var/lib/acme/backups/mail.myserverdomain.co.uk/2024-05-12_10_32_34 ... acme-mailcow-1 | Sun May 12 10:32:34 BST 2024 - Checking resolver... acme-mailcow-1 | Sun May 12 10:32:34 BST 2024 - Resolver OK acme-mailcow-1 | Sun May 12 10:32:34 BST 2024 - Using command acme-tiny --account-key /var/lib/acme/acme/account.pem --disable-check --csr /var/lib/acme/mail.myserverdomain.co.uk/acme.csr --acme-dir /var/www/acme/ acme-mailcow-1 | Parsing account key... acme-mailcow-1 | Parsing CSR... acme-mailcow-1 | Found domains: mail.myserverdomain.co.uk acme-mailcow-1 | Getting directory... acme-mailcow-1 | Directory found! acme-mailcow-1 | Registering account... acme-mailcow-1 | Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/15xxxxxx026 acme-mailcow-1 | Creating new order... acme-mailcow-1 | Order created! acme-mailcow-1 | Verifying mail.myserverdomain.co.uk... acme-mailcow-1 | Traceback (most recent call last): acme-mailcow-1 | File "/usr/bin/acme-tiny", line 8, in <module> acme-mailcow-1 | sys.exit(main()) acme-mailcow-1 | ^^^^^^ acme-mailcow-1 | File "/usr/lib/python3.11/site-packages/acme_tiny.py", line 195, in main acme-mailcow-1 | signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port) acme-mailcow-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ acme-mailcow-1 | File "/usr/lib/python3.11/site-packages/acme_tiny.py", line 153, in get_crt acme-mailcow-1 | raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization)) acme-mailcow-1 | ValueError: Challenge did not pass for mail.myserverdomain.co.uk: {'identifier': {'type': 'dns', 'value': 'mail.myserverdomain.co.uk'}, 'status': 'invalid', 'expires': '2024-05-19T09:32:37Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:connection', 'detail': '5.xxx.xxx.12: Fetching http://mail.myserverdomain.co.uk/.well-known/acme-challenge/Dy2gDNpwQUMxxxxxxxxcvAfgqnxad2RUSO3fM: Timeout during connect (likely firewall problem)', 'status': 400}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/3xxxxxxxx17/CKuexx', 'token': 'Dy2gDNpwxxxxxxx81toCcvAfgqxxxxxxxxO3fM', 'validationRecord': [{'url': 'http://mail.myserverdomain.co.uk/.well-known/acme-challenge/Dyxxxxxxxxxxxxxxxxxxx81toCcvAfgqnxadxxUSO3fM', 'hostname': 'mail.myserverdomain.co.uk', 'port': '80', 'addressesResolved': ['5.xxx.xxx.12'], 'addressUsed': '5.xxx.xxx.12'}], 'validated': '2024-05-12T09:32:39Z'}]} acme-mailcow-1 | Sun May 12 10:32:51 BST 2024 - Failed to obtain certificate /var/lib/acme/mail.myserverdomain.co.uk/cert.pem for domains 'mail.myserverdomain.co.uk' acme-mailcow-1 | OK acme-mailcow-1 | Sun May 12 10:32:51 BST 2024 - Some errors occurred, retrying in 30 minutes... acme-mailcow-1 | OK

Do you know how to resvole this issue?

esackbauer

mickeypl Fetching http://mail.myserverdomain.co.uk/.well-known/acme-challenge/0JwQCRe6sq6WxxxxcwXsR35xxxConwUxxxrd6v-Bkpu0s: Timeout during connect (likely firewall problem)',

Have you opened port 80?

mickeypl

I’ve checked this before and port 80 is open to the firewall, but when I type http://mail.myserverdomain.co.uk the website doesn’t display…

esackbauer

are you using a reverse proxy?

Also you are missing some DNS entries, it seems those for autodiscover and autoconfig. You need to have these DNS entries in place or else Lets Encrypt cannot issue the certificate.

mickeypl

I have completely disabled the firewall on the mailcow server.
I tried to renew the certificate again and it worked.
There seems to be something wrong with the firewall.
I’ll deal with it tomorrow. The most important thing is that the certificate is renewed.

Yes, I know that a few DNS entries are missing, I’ll probably add them tomorrow.