Forgive my ignorance, but just wanted to make sure I had this right. For the HTTP and HTTPS Bind, I should be putting my server ip address here if Im not behind a reverse proxy correct? Also I’m suppose to create a file and paste the following in it

server {
root /web;
listen 80 default_server;
listen [::]:80 default_server;
include /etc/nginx/conf.d/server_name.active;
if ( $request_uri ~* “%0A|%0D” ) { return 403; }
location ^~ /.well-known/acme-challenge/ {
allow all;
default_type “text/plain”;
}
location / {
return 301 https://$host$uri$is_args$args;
}
}

    Have something to say?

    Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

    9 days later

    esackbauer
    Thanks for the info. I keep running into the following issue

    Verifying mail.domain..
    acme-mailcow-1 | Traceback (most recent call last):
    acme-mailcow-1 | File “/usr/bin/acme-tiny”, line 8, in <module>
    acme-mailcow-1 | sys.exit(main())
    acme-mailcow-1 | ^^^^^^
    acme-mailcow-1 | File “/usr/lib/python3.11/site-packages/acme_tiny.py”, line 195, in main
    acme-mailcow-1 | signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
    acme-mailcow-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    acme-mailcow-1 | File “/usr/lib/python3.11/site-packages/acme_tiny.py”, line 153, in get_crt
    acme-mailcow-1 | raise ValueError(“Challenge did not pass for {0}: {1}”.format(domain, authorization))
    acme-mailcow-1 | ValueError: Challenge did not pass for mail.domain: {‘identifier’: {‘type’: ‘dns’, ‘value’: ’mail.domain}, ‘status’: ‘invalid’, ‘expires’: ‘2024-06-20T23:23:43Z’, ‘challenges’: [{‘type’: ‘http-01’, ‘url’: ‘ https://acme-v02.api.letsencrypt.org/acme/chall-v3/363605713847/K_2LnQ

    acme-v02.api.letsencrypt.org
    https://acme-v02.api.letsencrypt.org/acme/chall-v3/363605713847/K_2LnQ
    No preview could be generated for this link
    ’, ‘status’: ‘invalid’, ‘validated’: ‘2024-06-13T23:23:44Z’, ‘error’: {‘type’: ‘urn:ietf:params:acme:error:connection’, ‘detail’: ‘ip address: Fetching http://mail.domain/.well-known/acme-challenge/U5FFQysifq2xBOxhEizFUsbnMvdY6GKZqpXkK9is-9U
    mail.domain
    http://mail.domain/.well-known/acme-challenge/U5FFQysifq2xBOxhEizFUsbnMvdY6GKZqpXkK9is-9U
    No preview could be generated for this link
    : Timeout during connect (likely firewall problem)’, ‘status’: 400}, ‘token’: ‘U5FFQysifq2xBOxhEizFUsbnMvdY6GKZqpXkK9is-9U’, ‘validationRecord’: [{‘url’: ‘ http://mail.domain/.well-known/acme-challenge/U5FFQysifq2xBOxhEizFUsbnMvdY6GKZqpXkK9is-9U
    mail.domain
    http://mail.domain/.well-known/acme-challenge/U5FFQysifq2xBOxhEizFUsbnMvdY6GKZqpXkK9is-9U
    No preview could be generated for this link
    ’, ‘hostname’: ’mail.domain, ‘port’: ‘80’, ‘addressesResolved’: [‘ip address’], ‘addressUsed’: ‘ip address’}]}]}
    acme-mailcow-1 | Thu Jun 13 18:23:57 CDT 2024 - Failed to obtain certificate /var/lib/acme/mail.domain/cert.pem for domains ‘mail.domain’
    acme-mailcow-1 | OK
    acme-mailcow-1 | Thu Jun 13 18:23:57 CDT 2024 - Some errors occurred, retrying in 30 minutes…
    acme-mailcow-1 | OK
    Ccanceled

    I have port 80 and 443 opened so I know its reaching out, but I keep getting this. Also I don’t have multiple domains setup either. I do however my domain dns goes through cloudflare.

      You should get the certificates at the reverse proxy and not in mailcow. They need to be updated on BOTH.
      Let the reverse proxy do the ACME LE handling, and copy the mailcow certificate(s) to mailcow.

        5 months later

        esackbauer What permissions should the certs have once I place them in mailcow? Also what is the path location I should put them

            No one is typing