Forgive my ignorance, but just wanted to make sure I had this right. For the HTTP and HTTPS Bind, I should be putting my server ip address here if Im not behind a reverse proxy correct? Also I’m suppose to create a file and paste the following in it

server {
root /web;
listen 80 default_server;
listen [::]:80 default_server;
include /etc/nginx/conf.d/server_name.active;
if ( $request_uri ~* “%0A|%0D” ) { return 403; }
location ^~ /.well-known/acme-challenge/ {
allow all;
default_type “text/plain”;
}
location / {
return 301 https://$host$uri$is_args$args;
}
}

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

9 days later

esackbauer
Thanks for the info. I keep running into the following issue

Verifying mail.domain..
acme-mailcow-1 | Traceback (most recent call last):
acme-mailcow-1 | File “/usr/bin/acme-tiny”, line 8, in <module>
acme-mailcow-1 | sys.exit(main())
acme-mailcow-1 | ^^^^^^
acme-mailcow-1 | File “/usr/lib/python3.11/site-packages/acme_tiny.py”, line 195, in main
acme-mailcow-1 | signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
acme-mailcow-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
acme-mailcow-1 | File “/usr/lib/python3.11/site-packages/acme_tiny.py”, line 153, in get_crt
acme-mailcow-1 | raise ValueError(“Challenge did not pass for {0}: {1}”.format(domain, authorization))
acme-mailcow-1 | ValueError: Challenge did not pass for mail.domain: {‘identifier’: {‘type’: ‘dns’, ‘value’: ’mail.domain}, ‘status’: ‘invalid’, ‘expires’: ‘2024-06-20T23:23:43Z’, ‘challenges’: [{‘type’: ‘http-01’, ‘url’: ‘ https://acme-v02.api.letsencrypt.org/acme/chall-v3/363605713847/K_2LnQ

’, ‘status’: ‘invalid’, ‘validated’: ‘2024-06-13T23:23:44Z’, ‘error’: {‘type’: ‘urn:ietf:params:acme:error:connection’, ‘detail’: ‘ip address: Fetching http://mail.domain/.well-known/acme-challenge/U5FFQysifq2xBOxhEizFUsbnMvdY6GKZqpXkK9is-9U
mail.domain
http://mail.domain/.well-known/acme-challenge/U5FFQysifq2xBOxhEizFUsbnMvdY6GKZqpXkK9is-9U
No preview could be generated for this link
: Timeout during connect (likely firewall problem)’, ‘status’: 400}, ‘token’: ‘U5FFQysifq2xBOxhEizFUsbnMvdY6GKZqpXkK9is-9U’, ‘validationRecord’: [{‘url’: ‘ http://mail.domain/.well-known/acme-challenge/U5FFQysifq2xBOxhEizFUsbnMvdY6GKZqpXkK9is-9U
mail.domain
http://mail.domain/.well-known/acme-challenge/U5FFQysifq2xBOxhEizFUsbnMvdY6GKZqpXkK9is-9U
No preview could be generated for this link
’, ‘hostname’: ’mail.domain, ‘port’: ‘80’, ‘addressesResolved’: [‘ip address’], ‘addressUsed’: ‘ip address’}]}]}
acme-mailcow-1 | Thu Jun 13 18:23:57 CDT 2024 - Failed to obtain certificate /var/lib/acme/mail.domain/cert.pem for domains ‘mail.domain’
acme-mailcow-1 | OK
acme-mailcow-1 | Thu Jun 13 18:23:57 CDT 2024 - Some errors occurred, retrying in 30 minutes…
acme-mailcow-1 | OK
Ccanceled

I have port 80 and 443 opened so I know its reaching out, but I keep getting this. Also I don’t have multiple domains setup either. I do however my domain dns goes through cloudflare.

You should get the certificates at the reverse proxy and not in mailcow. They need to be updated on BOTH.
Let the reverse proxy do the ACME LE handling, and copy the mailcow certificate(s) to mailcow.

    5 months later

    esackbauer What permissions should the certs have once I place them in mailcow? Also what is the path location I should put them

      No one is typing