MAILCOW_HOSTNAME suddenly missing in SSL Certificate

torcolato

Hi all,
i get warnings in mail client and browser due to missing MAILCOW_HOSTNAME in SSL certificate from Lets Encrypt.
It seems it has been renewed yesterday, at least it says: Validity=>Not Before: Sep 24 07:59:03 2024 GMT

Subject is CN = autoconfig.denominazione.de which is NOT the MAILCOW_HOSTNAME.

I found no error or something related to this in the logs.
Any hint highly appreciated!

Thanks,
Christian

DocFraggle

Yes, your certificate includes only autoconfig.* and autodiscover.* SANs

https://www.ssl.org/report/autoconfig.denominazione.de

Did you accidentally delete your primary DNS entry?

torcolato

Thanks for your reply.

But, no, DNS Entries are there: A as well as AAAA entry.
;; ANSWER SECTION: mail.fabbrica.one. 3600 IN A 168.119.183.13 mail.fabbrica.one. 3600 IN AAAA 2a01:4f8:c013:1a10::1

esackbauer

make sure that the MAILCOW_HOSTNAME is correctly configured in mailcow.conf.
Then run update.sh
If its still not working, try force renewal.

DocFraggle

If you browse to http://mail.fabbrica.one you reach an Apache server. Did you accidentally install Apache on your mailcow host?
Due to this Apache instance the Letsencrypt http verification for mail.fabbrica.one isn’t working

esackbauer

Seems like he uses a not properly configured reverse proxy.

torcolato

Yes, @DocFraggle and @esackbauer
Mailcow is behind Apache proxy.
I am quite certain we followed the docs (https://docs.mailcow.email/post_installation/reverse-proxy/r_p-apache24/) by the word, but will double check again.

DocFraggle

Is it possible that you actually forgot to change CHANGE_TO_MAILCOW_HOSTNAME to your mailcow hostname?

torcolato

No, MAILCOW_HOSTNAME is correctly set in mailcow.conf and also with same value in apaches ServerName directive.

DocFraggle

You added an AAAA record as well for mail.fabbrica.one and I think we had another thread in this forum where we discovered that if an AAAA record exists this will be used to verify the certificate request (this may have been implemented just recently). Did you check your ACME container’s log to check if it’s trying to do that? I guess you didn’t include IPv6 in your reverse proxy config? Because in your linked example it isn’t configured.

EDIT: here’s the thread: https://community.mailcow.email/d/3998-acme-http-validation-failed/3

torcolato

@DocFraggle OUCH. This indeed may be part of or all of the problem.
Will check and come back.