When using certbot as my external provider, and the post hook script provided in the docs.mailcow.email Icon docs

all the three containers restart normally, but the cert NGINX uses is not updated. I checked this by running sudo ./helper-scripts/expiry-dates.sh, and postfix and dovecot both have the same date and time, whereas NGINX is stuck on an earlier expiry data, leading me to believe it was not updated. I’ve tried manually restarting the container as well, but that did not work either.

  • DocFraggle replied to this.
  • DocFraggle key from your external certbot were actually copied to mailcow by the script?

    I guess that happened, because postfix and dovecot show the correct “new” expiry dates. However https seems to be routed via a reverse proxy (the script uses the DNS resolution), and one of them has still the old certificate.

    @shadowfox88 you could try to open Mailcow with https and the local IP address of the mailcow host. It should give you a certificate warning (obviously) but you can check if nginx on mailcow is really using the wrong certificate.

    what do you mean with “certbot as my external provider”?
    Do you have a reverse proxy that fetches the LE certificates?

      Have something to say?

      Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

      esackbauer I’m using a local certbot with the cloudflare DNS plugin, however I do have all of my ports proxied through a Caddy instance for the webserver, and a caddy l4 proxy for the others.

      Sounds complicated. it is not mailcows fault because other protocols like SMTP and IMAP are using the new certificate - caddy has probably still the old certificate.
      Try also to clear browser cache.

      The Caddy reverse proxy is on a different machine entirely, for seperate reasons. The certificate isn’t being updated on the machine hosting mailcow, as seen by the expiry-dates script showing different outputs. Caddy just adds a certificate from Me —> Reverse Proxy VPS, however the certificate that encrypts traffic from Reverse Proxy VPS —–> Mailcow Machine is not being updated. Hope this helped clarify everything!

      shadowfox88 the post hook script provided

      Did you check if the certificate and key from your external certbot were actually copied to mailcow by the script? I presume that you changed the path to the correct path to your generated certificate?

        DocFraggle They seem to have been copied (according to what ls -la says at least), and yes I did change the path provided to fit where my generated certificate was.

        DocFraggle key from your external certbot were actually copied to mailcow by the script?

        I guess that happened, because postfix and dovecot show the correct “new” expiry dates. However https seems to be routed via a reverse proxy (the script uses the DNS resolution), and one of them has still the old certificate.

        @shadowfox88 you could try to open Mailcow with https and the local IP address of the mailcow host. It should give you a certificate warning (obviously) but you can check if nginx on mailcow is really using the wrong certificate.

          esackbauer Hmm, upon going to the local IP I can see the dates of the certificate mean that it must be the new one, but that then raises the question of why the helper script shows the wrong date

            shadowfox88 why the helper script shows the wrong date

            I have explained above. Helper script uses DNS name, which points to your reverse proxy…

              No one is typing