Mailcow Acme Issue

sirmorphic

Hello, new to the forums. Appreciate the great software stack.

I am running into an issue with acme for mailcow, and I think I am banging my head against the wall. Was hoping for a second set of eyes to point out what I am glancing over:

Am I missing something obvious?

esackbauer

sirmorphic Am I missing something obvious?

Yes, telling us the version numbers (mailcow, Docker, docker-compose) and where are you running on (VPS, VM, which operating system, are you using a firewall like UFW) etcetc.

Are the firewall ports open? ACME needs port 80.

sirmorphic

Apologies @esackbauer . The version is 2024-06c. It is running on a vm in proxmox, running ubuntu 22.04, with ufw running and enabled. I have the following for ufw currently:

22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443 ALLOW Anywhere
8433:8443/tcp ALLOW Anywhere
25/tcp ALLOW Anywhere
465/tcp ALLOW Anywhere
587/tcp ALLOW Anywhere
143/tcp ALLOW Anywhere
993/tcp ALLOW Anywhere
110/tcp ALLOW Anywhere
995/tcp ALLOW Anywhere
4190/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
8433:8443/tcp (v6) ALLOW Anywhere (v6)
25/tcp (v6) ALLOW Anywhere (v6)
465/tcp (v6) ALLOW Anywhere (v6)
587/tcp (v6) ALLOW Anywhere (v6)
143/tcp (v6) ALLOW Anywhere (v6)
993/tcp (v6) ALLOW Anywhere (v6)
110/tcp (v6) ALLOW Anywhere (v6)
995/tcp (v6) ALLOW Anywhere (v6)
4190/tcp (v6) ALLOW Anywhere (v6)

Port 80 responds.

I see this when I decode base64:

Parsing account key…
Parsing CSR…
Found domains: mail.domain.com
Getting directory…
Directory found!
Registering account…
Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/ACCOUNT
Creating new order…
Traceback (most recent call last):
File “/usr/bin/acme-tiny”, line 8, in <module>
sys.exit(main())
^^^^^^^^^
File “/usr/lib/python3.12/site-packages/acme_tiny.py”, line 195, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3.12/site-packages/acme_tiny.py”, line 120, in get_crt
order, _, order_headers = _send_signed_request(directory[‘newOrder’], order_payload, “Error creating new order”)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3.12/site-packages/acme_tiny.py”, line 60, in _send_signed_request
return _do_request(url, data=data.encode(‘utf8’), err_msg=err_msg, depth=depth)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3.12/site-packages/acme_tiny.py”, line 46, in _do_request
raise ValueError(f"{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error creating new order:
Url: https://acme-v02.api.letsencrypt.org/acme/new-order

Response Code: 429
Response: {‘type’: ‘urn:ietf:params:acme:error:rateLimited’, ‘detail’: ‘Error creating new order : too many certificates (5) already issued for this exact set of domains in the last 168 hours: mail.domain.com, retry after 2024-07-13T23:05:21Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/’, ‘status’: 429}

Aside from the many attempts, I am unable to for example, use TLS as it shows its not trusted.

Of another note, this is running in a reverse proxy in cloudpanel. I do have a valid ssl from cloudpanel to the subdomain for management.

esackbauer

sirmorphic Error creating new order : too many certificates (5) already issued for this exact set of domains in the last 168 hours: mail.domain.com, retry after 2024-07-13T23:05:21Z: see

Ok, something did work with Lets Encrypt server, you probably tried too often and are banned for now.

If you have a reverse proxy, you must decide where you run ACME. I run ACME on my reverse proxy and copy the certificates to mailcow (because they are not only needed for https).

If you want to run ACME on mailcow, you must use the reverse proxy configs that let ACME pass:
https://docs.mailcow.email/post_installation/reverse-proxy/r_p-nginx/
and have your reverse proxy not getting the certificates and copy them from mailcow to the reverse proxy

If you run ACME on both the reverse proxy and mailcow for the same hostname, then desaster will strike (like the bans you have run into)

sirmorphic TLS as it shows its not trusted.

you can use it, but it is still the self-signed certificate that the mailcow installation creates