I am using Apache, Lets Encrypt and have a bunch of Virtualhosts on my Server. Now i want to configure https for the Mailcow Backend on “mail.mydomain.com”, which is already an A-Record in my DNS. I am somewhat confused, how things work together, especially with this acme-container.
According to 
Erweitertes SSL - mailcow: dockerized Dokumentation it ist possible to disable/stop the mailcow acme-container and use certbot/ Let’s Encrypt on my Linux Hostsystem? docs.mailcow.email
Which client affects the value SKIP_LETS_ENCRYPT in mailcow.conf - the host-le or the container-le?
EnglishLet's Encrypt on the host system instead of acme-container
- Edited
hrewd the host-le or the container-le?
A container config cannot set things on the host. So its of course container-le.
hrewd it ist possible to disable/stop the mailcow acme-container and use certbot/ Let’s Encrypt on my Linux Hostsystem?
Yes that is actually best practice in your setup.
But if you create renew LE certs you must copy the certificates from your Host-LE to mailcow
Advanced SSL - mailcow: dockerized documentation docs.mailcow.email
Also remember to include all hostnames into the cert, just mail.mydomain.dom is not enough. You need to include autodiscover, autoconfig etc as SAN.
Have something to say?
Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!
5 days later
esackbauer
“But if you create renew LE certs you must copy the certificates from your Host-LE to mailcow”
Ok, obviously there is still something i don’t understand. I wanted to have HTTPS-termination and validation for the Subdomain mail.mydomain.de to be fully on my host system. The LE-cert-path is defined in my Apache Vhost-File for the subdomain, where i also setup this reverse proxy. So why does mailcow still needs a copy?
hrewd So why does mailcow still needs a copy?
Because mailcow needs that certificate also for POP, IMAP and SMTP…
There are more communications channels than only https for a mailserver 
Ok, i was’nt aware that LE-Certificates used for HTTPS can also be used for E-Mail-TLS. I already wondered, how Mailcow obtains certs for IMAP/TLS etc.
Also remember to include all hostnames into the cert, just mail.mydomain.dom is not enough. You need to include autodiscover, autoconfig etc as SAN.
This means, i also have to set up additional subdomains and related virtualhosts such as autodiscover.mydomain.de and autoconfig.mydomain.de and generate certificates for them as well? Actually i only need SOGO as HTTPS.
- Edited
Yes, your LE cert should have the CN of mail.domain.com (the name mailcow uses as configured hostname) and as SAN additionally autoconfig.domain.com and autodiscover.domain.com and any other domains you want the UI to listen to.
No one is typing