I’ve been battling an issue where the built in acme container will fail to renew the first domain it tests after a system restart.
I managed to delay the mailcow nginx reverse proxy startup until routing/network access were available, and that delays the acme start, but after that acme fails to verify the first domain it tests.
If I then restart the acme container, it will work correctly.
I believe the issue is that the mailcow web portal is behind an HAProxy and that HAProxy is not allowing ingress to the backend mailcow webserver until it is detected as being up.
The ACME certificate domain testing occurs before the HAProxy reverse proxy detects the nginx reverse proxy as being up, and thus the domain verification fails.
I could just turn off http verification I guess, but perhaps the acme container itself should verify that the main web portal is available before it proceeds to test all the other domains? And it should also wait until it has network access to the acme backend servers before proceeding as well.