SSL-Cert renews every day

minecoll_yt

Hello guys!

I have noticed a weird behavior from acme. Every day I receive the cloudflare “certificate transparency notice” because mailcow seems to request a new certificate for autodiscover.xxx every day. And when I visit the autodiscover page the cert is always issued today, despite that it should be valid for a month.

The log states:
mail01.xxx - Certificate /var/lib/acme/mail01.xxx/cert.pem missing or changed domains ‘xxxx’ - start obtaining

But there weren’t any changes to the domains at all and the file cert.pem is not missing or empty.

esackbauer

Do you have set ENABLE_SSL_SNI=y? If yes, why?
Do you have a reverse proxy?

minecoll_yt

Hi, sorry for the late response.

Nope, this setting is disabled.
ENABLE_SSL_SNI=n

Yes, everything should be handled by NPMplus (A fork of the normal Nginx proxy manager)

Not sure if its normal but there is also a backup for nearly every day since the mailserver is running

esackbauer

If you get the certificates via NPM Plus, you need to disable Letsencypt on Mailcow, and copy the fullchain and privkey files to mailcow:
https://docs.mailcow.email/post_installation/firststeps-ssl/#how-to-use-your-own-certificate

minecoll_yt

I’m going to try that out! I’m just wondering why the error message says “missing or changed domains ‘xxxx’ - start obtaining” because the file is clearly there and the setup “works”. It’s just getting new certs every day