Hello! I have found quite a few links about this topic, none of which helped me, for example: - https://github.com/mailcow/mailcow-dockerized/issues/5338 - https://community.mailcow.email/d/1986-can-not-renew-ssl-certificates - https://community.mailcow.email/d/1250-renew-letsencrypt-certificate-for-mailcow-within-docker/3 - https://community.mailcow.email/d/468-unable-to-get-cert-not-detecting-ip/6 I've tried to follow: - https://docs.mailcow.email/post_installation/firststeps-ssl/#force-renewal - https://docs.mailcow.email/troubleshooting/debug-reset_tls/ And considering disabling IPv6 if nothing else works... https://docs.mailcow.email/post_installation/firststeps-disable_ipv6/ I have tried restarting both acme, docker, and the VPS. The VPS is hosted with ETH-services. I get consistently the same error, where ACME cannot detect correctly the IPv6 address. `acme-mailcow-1 | Sun Nov 24 13:35:00 CET 2024 - Initializing, please wait... acme-mailcow-1 | Sun Nov 24 13:35:01 CET 2024 - Using existing domain rsa key /var/lib/acme/acme/key.pem acme-mailcow-1 | Sun Nov 24 13:35:01 CET 2024 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem acme-mailcow-1 | Sun Nov 24 13:35:01 CET 2024 - Detecting IP addresses... acme-mailcow-1 | Sun Nov 24 13:35:38 CET 2024 - OK: 45.86.125.252, 0000:0000:0000:0000:0000:0000:0000:0000 acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Found AAAA record for mta-sts.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname mta-sts.1107.se (DNS returned 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd) acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Found AAAA record for autodiscover.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname autodiscover.1107.se (DNS returned 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd) acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Found AAAA record for autoconfig.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname autoconfig.1107.se (DNS returned 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd) acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Found AAAA record for mail.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname mail.1107.se (DNS returned 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd) acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour. acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently. ` I have not changed anything recently except doing the usual updates. Does anyone know how to approach this problem? Is there an alternative except to disable IPv6 entirely? Thanks! Also, is there a way to renew certificates for IPv4 and NOT check IPv6 for example? Another option I considered was to disable the IP check but I would prefer not to do this if possible. Also, is there a way to renew certificates for IPv4 and NOT check IPv6 for example? Another option I considered was to disable the IP check but I would prefer not to do this if possible. OK, I tried one more thing, to disable the IPv4 check in mailcow.conf, force a renewal ([according to docs](https://docs.mailcow.email/post_installation/firststeps-ssl/#force-renewal)), and restart mailcow. I then get a different error: "Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd, but HTTP validation failed" ``` acme-mailcow-1 | Sun Nov 24 14:04:23 CET 2024 - Using existing domain rsa key /var/lib/acme/acme/key.pem acme-mailcow-1 | Sun Nov 24 14:04:23 CET 2024 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem acme-mailcow-1 | Sun Nov 24 14:04:27 CET 2024 - Found AAAA record for mta-sts.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | Sun Nov 24 14:04:31 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd, but HTTP validation failed acme-mailcow-1 | Sun Nov 24 14:04:31 CET 2024 - Found AAAA record for autodiscover.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | Sun Nov 24 14:04:34 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd, but HTTP validation failed acme-mailcow-1 | Sun Nov 24 14:04:34 CET 2024 - Found AAAA record for autoconfig.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | Sun Nov 24 14:04:37 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd, but HTTP validation failed acme-mailcow-1 | Sun Nov 24 14:04:37 CET 2024 - Found AAAA record for mail.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | Sun Nov 24 14:04:40 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd, but HTTP validation failed acme-mailcow-1 | Sun Nov 24 14:04:40 CET 2024 - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour. acme-mailcow-1 | Sun Nov 24 14:04:40 CET 2024 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently. ``` So then I found this thread: https://github.com/mailcow/mailcow-dockerized/issues/4463 And I disabled also HTTP verification. Again I try to force a renewal and restart Mailcow: ``` cd /opt/mailcow-dockerized docker compose down touch data/assets/ssl/force_renew docker compose up -d ``` Then I got the below: ``` acme-mailcow-1 | Sun Nov 24 14:10:27 CET 2024 - Initializing, please wait... acme-mailcow-1 | Could not find certificate from acme-mailcow-1 | Could not find certificate from acme-mailcow-1 | Sun Nov 24 14:10:28 CET 2024 - Using existing domain rsa key /var/lib/acme/acme/key.pem acme-mailcow-1 | Sun Nov 24 14:10:28 CET 2024 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem acme-mailcow-1 | Sun Nov 24 14:10:29 CET 2024 - Found AAAA record for mta-sts.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | (skipping check, returning 0) acme-mailcow-1 | Sun Nov 24 14:10:29 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd acme-mailcow-1 | Sun Nov 24 14:10:29 CET 2024 - Found AAAA record for autodiscover.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | (skipping check, returning 0) acme-mailcow-1 | Sun Nov 24 14:10:30 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd acme-mailcow-1 | Sun Nov 24 14:10:30 CET 2024 - Found AAAA record for autoconfig.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | (skipping check, returning 0) acme-mailcow-1 | Sun Nov 24 14:10:30 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd acme-mailcow-1 | Sun Nov 24 14:10:30 CET 2024 - Found AAAA record for mail.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | (skipping check, returning 0) acme-mailcow-1 | Sun Nov 24 14:10:30 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd acme-mailcow-1 | Sun Nov 24 14:10:30 CET 2024 - Certificate /var/lib/acme/mail.1107.se/cert.pem missing or changed domains 'mail.1107.se autoconfig.1107.se autodiscover.1107.se mta-sts.1107.se' - start obtaining acme-mailcow-1 | Sun Nov 24 14:10:30 CET 2024 - Copying shared private key for this certificate... acme-mailcow-1 | Sun Nov 24 14:10:30 CET 2024 - Checking resolver... acme-mailcow-1 | Sun Nov 24 14:10:30 CET 2024 - Resolver OK acme-mailcow-1 | Sun Nov 24 14:10:30 CET 2024 - Using command acme-tiny --account-key /var/lib/acme/acme/account.pem --disable-check --csr /var/lib/acme/mail.1107.se/acme.csr --acme-dir /var/www/acme/ acme-mailcow-1 | Parsing account key... acme-mailcow-1 | Parsing CSR... acme-mailcow-1 | Found domains: mail.1107.se, autoconfig.1107.se, mta-sts.1107.se, autodiscover.1107.se acme-mailcow-1 | Getting directory... acme-mailcow-1 | Directory found! acme-mailcow-1 | Registering account... acme-mailcow-1 | Registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/2074911827 acme-mailcow-1 | Creating new order... acme-mailcow-1 | Order created! acme-mailcow-1 | Verifying autoconfig.1107.se... acme-mailcow-1 | Traceback (most recent call last): acme-mailcow-1 | File "/usr/bin/acme-tiny", line 8, in acme-mailcow-1 | sys.exit(main()) acme-mailcow-1 | ^^^^^^ acme-mailcow-1 | File "/usr/lib/python3.12/site-packages/acme_tiny.py", line 195, in main acme-mailcow-1 | signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port) acme-mailcow-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ acme-mailcow-1 | File "/usr/lib/python3.12/site-packages/acme_tiny.py", line 153, in get_crt acme-mailcow-1 | raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization)) acme-mailcow-1 | ValueError: Challenge did not pass for autoconfig.1107.se: {'identifier': {'type': 'dns', 'value': 'autoconfig.1107.se'}, 'status': 'invalid', 'expires': '2024-12-01T13:10:36Z', 'challenges': [{'type': 'http-01', 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall/2074911827/434847377597/CBnvzQ', 'status': 'invalid', 'validated': '2024-11-24T13:10:38Z', 'error': {'type': 'urn:ietf:params:acme:error:connection', 'detail': '45.86.125.252: Fetching https://autoconfig.1107.se/.well-known/acme-challenge/SEd8ejWdBOqkgHQbxCf6XN4u9bGVMuKoRl9ESEtgkFI: Timeout during connect (likely firewall problem)', 'status': 400}, 'token': 'SEd8ejWdBOqkgHQbxCf6XN4u9bGVMuKoRl9ESEtgkFI', 'validationRecord': [{'url': 'http://autoconfig.1107.se/.well-known/acme-challenge/SEd8ejWdBOqkgHQbxCf6XN4u9bGVMuKoRl9ESEtgkFI', 'hostname': 'autoconfig.1107.se', 'port': '80', 'addressesResolved': ['45.86.125.252', '2a0c:8900:1:100::2f7d:d1bd'], 'addressUsed': '2a0c:8900:1:100::2f7d:d1bd'}, {'url': 'http://autoconfig.1107.se/.well-known/acme-challenge/SEd8ejWdBOqkgHQbxCf6XN4u9bGVMuKoRl9ESEtgkFI', 'hostname': 'autoconfig.1107.se', 'port': '80', 'addressesResolved': ['45.86.125.252', '2a0c:8900:1:100::2f7d:d1bd'], 'addressUsed': '45.86.125.252'}, {'url': 'https://autoconfig.1107.se/.well-known/acme-challenge/SEd8ejWdBOqkgHQbxCf6XN4u9bGVMuKoRl9ESEtgkFI', 'hostname': 'autoconfig.1107.se', 'port': '443', 'addressesResolved': ['45.86.125.252', '2a0c:8900:1:100::2f7d:d1bd'], 'addressUsed': '2a0c:8900:1:100::2f7d:d1bd'}]}]} acme-mailcow-1 | Sun Nov 24 14:10:59 CET 2024 - Failed to obtain certificate /var/lib/acme/mail.1107.se/cert.pem for domains 'mail.1107.se autoconfig.1107.se autodiscover.1107.se mta-sts.1107.se' acme-mailcow-1 | OK acme-mailcow-1 | Sun Nov 24 14:10:59 CET 2024 - Some errors occurred, retrying in 30 minutes... acme-mailcow-1 | OK ``` Does anyone know what to do about this?

@"DocFraggle"#p20297 Me too.. :-) Thanks for the help

ACME not finding correct IPv6 address, LetsEncrypt certs do not renew

andreas1107

Hello! I have found quite a few links about this topic, none of which helped me, for example:

I’ve tried to follow:

And considering disabling IPv6 if nothing else works… https://docs.mailcow.email/post_installation/firststeps-disable_ipv6/

I have tried restarting both acme, docker, and the VPS. The VPS is hosted with ETH-services.

I get consistently the same error, where ACME cannot detect correctly the IPv6 address.

acme-mailcow-1 | Sun Nov 24 13:35:00 CET 2024 - Initializing, please wait... acme-mailcow-1 | Sun Nov 24 13:35:01 CET 2024 - Using existing domain rsa key /var/lib/acme/acme/key.pem acme-mailcow-1 | Sun Nov 24 13:35:01 CET 2024 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem acme-mailcow-1 | Sun Nov 24 13:35:01 CET 2024 - Detecting IP addresses... acme-mailcow-1 | Sun Nov 24 13:35:38 CET 2024 - OK: 45.86.125.252, 0000:0000:0000:0000:0000:0000:0000:0000 acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Found AAAA record for mta-sts.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname mta-sts.1107.se (DNS returned 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd) acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Found AAAA record for autodiscover.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname autodiscover.1107.se (DNS returned 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd) acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Found AAAA record for autoconfig.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname autoconfig.1107.se (DNS returned 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd) acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Found AAAA record for mail.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname mail.1107.se (DNS returned 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd) acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour. acme-mailcow-1 | Sun Nov 24 13:35:39 CET 2024 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.

I have not changed anything recently except doing the usual updates.

Does anyone know how to approach this problem? Is there an alternative except to disable IPv6 entirely?

Thanks!

Also, is there a way to renew certificates for IPv4 and NOT check IPv6 for example? Another option I considered was to disable the IP check but I would prefer not to do this if possible.

OK, I tried one more thing, to disable the IPv4 check in mailcow.conf, force a renewal (according to docs), and restart mailcow.

I then get a different error: “Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd, but HTTP validation failed”

acme-mailcow-1  | Sun Nov 24 14:04:23 CET 2024 - Using existing domain rsa key /var/lib/acme/acme/key.pem
acme-mailcow-1  | Sun Nov 24 14:04:23 CET 2024 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
acme-mailcow-1  | Sun Nov 24 14:04:27 CET 2024 - Found AAAA record for mta-sts.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check
acme-mailcow-1  | Sun Nov 24 14:04:31 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd, but HTTP validation failed
acme-mailcow-1  | Sun Nov 24 14:04:31 CET 2024 - Found AAAA record for autodiscover.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check
acme-mailcow-1  | Sun Nov 24 14:04:34 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd, but HTTP validation failed
acme-mailcow-1  | Sun Nov 24 14:04:34 CET 2024 - Found AAAA record for autoconfig.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check
acme-mailcow-1  | Sun Nov 24 14:04:37 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd, but HTTP validation failed
acme-mailcow-1  | Sun Nov 24 14:04:37 CET 2024 - Found AAAA record for mail.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check
acme-mailcow-1  | Sun Nov 24 14:04:40 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd, but HTTP validation failed
acme-mailcow-1  | Sun Nov 24 14:04:40 CET 2024 - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour.
acme-mailcow-1  | Sun Nov 24 14:04:40 CET 2024 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.

So then I found this thread: mailcow/mailcow-dockerized4463

And I disabled also HTTP verification. Again I try to force a renewal and restart Mailcow:

cd /opt/mailcow-dockerized
docker compose down
touch data/assets/ssl/force_renew
docker compose up -d

Then I got the below:

acme-mailcow-1  | Sun Nov 24 14:10:27 CET 2024 - Initializing, please wait...
acme-mailcow-1  | Could not find certificate from <stdin>
acme-mailcow-1  | Could not find certificate from <stdin>
acme-mailcow-1  | Sun Nov 24 14:10:28 CET 2024 - Using existing domain rsa key /var/lib/acme/acme/key.pem
acme-mailcow-1  | Sun Nov 24 14:10:28 CET 2024 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
acme-mailcow-1  | Sun Nov 24 14:10:29 CET 2024 - Found AAAA record for mta-sts.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check
acme-mailcow-1  | (skipping check, returning 0)
acme-mailcow-1  | Sun Nov 24 14:10:29 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd
acme-mailcow-1  | Sun Nov 24 14:10:29 CET 2024 - Found AAAA record for autodiscover.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check
acme-mailcow-1  | (skipping check, returning 0)
acme-mailcow-1  | Sun Nov 24 14:10:30 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd
acme-mailcow-1  | Sun Nov 24 14:10:30 CET 2024 - Found AAAA record for autoconfig.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check
acme-mailcow-1  | (skipping check, returning 0)
acme-mailcow-1  | Sun Nov 24 14:10:30 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd
acme-mailcow-1  | Sun Nov 24 14:10:30 CET 2024 - Found AAAA record for mail.1107.se: 2a0c:8900:1:100::2f7d:d1bd - skipping A record check
acme-mailcow-1  | (skipping check, returning 0)
acme-mailcow-1  | Sun Nov 24 14:10:30 CET 2024 - Confirmed AAAA record with IP 2a0c:8900:0001:0100:0000:0000:2f7d:d1bd
acme-mailcow-1  | Sun Nov 24 14:10:30 CET 2024 - Certificate /var/lib/acme/mail.1107.se/cert.pem missing or changed domains 'mail.1107.se autoconfig.1107.se autodiscover.1107.se mta-sts.1107.se' - start obtaining
acme-mailcow-1  | Sun Nov 24 14:10:30 CET 2024 - Copying shared private key for this certificate...
acme-mailcow-1  | Sun Nov 24 14:10:30 CET 2024 - Checking resolver...
acme-mailcow-1  | Sun Nov 24 14:10:30 CET 2024 - Resolver OK
acme-mailcow-1  | Sun Nov 24 14:10:30 CET 2024 - Using command acme-tiny   --account-key /var/lib/acme/acme/account.pem --disable-check --csr /var/lib/acme/mail.1107.se/acme.csr --acme-dir /var/www/acme/
acme-mailcow-1  | Parsing account key...
acme-mailcow-1  | Parsing CSR...
acme-mailcow-1  | Found domains: mail.1107.se, autoconfig.1107.se, mta-sts.1107.se, autodiscover.1107.se
acme-mailcow-1  | Getting directory...
acme-mailcow-1  | Directory found!
acme-mailcow-1  | Registering account...
acme-mailcow-1  | Registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/2074911827
acme-mailcow-1  | Creating new order...
acme-mailcow-1  | Order created!
acme-mailcow-1  | Verifying autoconfig.1107.se...
acme-mailcow-1  | Traceback (most recent call last):
acme-mailcow-1  |   File "/usr/bin/acme-tiny", line 8, in <module>
acme-mailcow-1  |     sys.exit(main())
acme-mailcow-1  |              ^^^^^^
acme-mailcow-1  |   File "/usr/lib/python3.12/site-packages/acme_tiny.py", line 195, in main
acme-mailcow-1  |     signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
acme-mailcow-1  |                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
acme-mailcow-1  |   File "/usr/lib/python3.12/site-packages/acme_tiny.py", line 153, in get_crt
acme-mailcow-1  |     raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
acme-mailcow-1  | ValueError: Challenge did not pass for autoconfig.1107.se: {'identifier': {'type': 'dns', 'value': 'autoconfig.1107.se'}, 'status': 'invalid', 'expires': '2024-12-01T13:10:36Z', 'challenges': [{'type': 'http-01', 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall/2074911827/434847377597/CBnvzQ', 'status': 'invalid', 'validated': '2024-11-24T13:10:38Z', 'error': {'type': 'urn:ietf:params:acme:error:connection', 'detail': '45.86.125.252: Fetching https://autoconfig.1107.se/.well-known/acme-challenge/SEd8ejWdBOqkgHQbxCf6XN4u9bGVMuKoRl9ESEtgkFI: Timeout during connect (likely firewall problem)', 'status': 400}, 'token': 'SEd8ejWdBOqkgHQbxCf6XN4u9bGVMuKoRl9ESEtgkFI', 'validationRecord': [{'url': 'http://autoconfig.1107.se/.well-known/acme-challenge/SEd8ejWdBOqkgHQbxCf6XN4u9bGVMuKoRl9ESEtgkFI', 'hostname': 'autoconfig.1107.se', 'port': '80', 'addressesResolved': ['45.86.125.252', '2a0c:8900:1:100::2f7d:d1bd'], 'addressUsed': '2a0c:8900:1:100::2f7d:d1bd'}, {'url': 'http://autoconfig.1107.se/.well-known/acme-challenge/SEd8ejWdBOqkgHQbxCf6XN4u9bGVMuKoRl9ESEtgkFI', 'hostname': 'autoconfig.1107.se', 'port': '80', 'addressesResolved': ['45.86.125.252', '2a0c:8900:1:100::2f7d:d1bd'], 'addressUsed': '45.86.125.252'}, {'url': 'https://autoconfig.1107.se/.well-known/acme-challenge/SEd8ejWdBOqkgHQbxCf6XN4u9bGVMuKoRl9ESEtgkFI', 'hostname': 'autoconfig.1107.se', 'port': '443', 'addressesResolved': ['45.86.125.252', '2a0c:8900:1:100::2f7d:d1bd'], 'addressUsed': '2a0c:8900:1:100::2f7d:d1bd'}]}]}
acme-mailcow-1  | Sun Nov 24 14:10:59 CET 2024 - Failed to obtain certificate /var/lib/acme/mail.1107.se/cert.pem for domains 'mail.1107.se autoconfig.1107.se autodiscover.1107.se mta-sts.1107.se'
acme-mailcow-1  | OK
acme-mailcow-1  | Sun Nov 24 14:10:59 CET 2024 - Some errors occurred, retrying in 30 minutes...
acme-mailcow-1  | OK

Does anyone know what to do about this?

DocFraggle

This is the function which tries to determine your IPv6 address:

mailcow/mailcow-dockerizedblob/2024-11b/data/Dockerfiles/acme/functions.sh#L54

What is does is curl’ing one of the two FQDNs ip6.nevondo.com or ip6.mailcow.email which simply output your IPv6 address. If the curl fails the check fails…

So could you please paste the output of either

curl -v --connect-timeout 3 -m 10 -L6s ip6.mailcow.email

and

curl -v --connect-timeout 3 -m 10 -L6s ip6.nevondo.com

1) from your host system
2) from inside the container

please?

andreas1107

Thank you for replying! I get the following:

From the system:

# curl -v --connect-timeout 3 -m 10 -L6s ip6.mailcow.email
*   Trying [2a01:4f8:c17:7906::10]:80...
* ipv6 connect timeout after 2991ms, move on!
* Failed to connect to ip6.mailcow.email port 80 after 3001 ms: Timeout was reached
* Closing connection 0
# curl -v --connect-timeout 3 -m 10 -L6s ip6.nevondo.com
*   Trying [2a01:4f8:2200:4181::114]:80...
* ipv6 connect timeout after 2991ms, move on!
* Failed to connect to ip6.nevondo.com port 80 after 3001 ms: Timeout was reached
* Closing connection 0

Inside the container: I’m sorry I don’t know how to do this. Would you have an example command?

Thank you!

DocFraggle

Ok, it seems you have general problems connecting to IPv6 hosts via Internet… so until you don’t fix those you won’t be able to use IPv6 at all I guess

andreas1107

OK, I will raise a ticket with the VPS provider and see if he can help. Thank you!

DocFraggle

andreas1107 Yes, that’s good.

Your server isn’t even reachable via IPv6

# telnet -6 mail.1107.se 25
Trying 2a0c:8900:1:100::2f7d:d1bd...

andreas1107

Huh! Weird… I’ll include that in the ticket 🙏

andreas1107

So the problem was in the config of /etc/network/interfaces

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 45.86.125.252
netmask 255.255.255.192

gateway 45.86.125.193
iface eth0 inet6 static
        accept_ra 0
        address 2a0c:8900:1:0000:0000:0000:a055:a521
        netmask 48

        gateway 2a0c:8900:1::1

The address was just wrong… Once corrected it works withe the IP and HTTP checks enabled. 🤦

DocFraggle

Glad it works now! 👍

andreas1107

DocFraggle Me too.. :-) Thanks for the help