unable to get cert, not detecting IP?

xavier

I just installed mailcow for the second time since I thought first time was maybe an install issue. This time its installed on Ubuntu 18.04 on a XEN host. BTW I have installed it on other hosts in the past so this isn’t the first time I’m setting up mailcow. Just maybe the first time in a XEN environment, not sure if that makes a difference. My understanding is that it is supported.

I’m unable to get a certificate. There is no firewall installed on the host or an external firewall. This is on a public network with a public IP. I’m able to reach the mailcow admin website with no problem, so HTTP is open and working. Everything else works. I just get the error below. If I skip IP check I still get an error saying it can’t reach my server.

Any thoughts?

Wed Nov 25 10:53:45 CST 2020 - Detecting IP addresses…
acme-mailcow_1 | Wed Nov 25 10:55:43 CST 2020 - OK: , 0000:0000:0000:0000:0000:0000:0000:0000
acme-mailcow_1 | Wed Nov 25 10:56:28 CST 2020 - Found A record for mx1.test.com: ;; connection timed out; no servers could be reached
acme-mailcow_1 | Wed Nov 25 10:56:28 CST 2020 - Cannot match your IP against hostname mx1.mailcrunch.com (DNS returned ;; connection timed out; no servers could be reached)
acme-mailcow_1 | Wed Nov 25 10:56:28 CST 2020 - Cannot validate any hostnames, skipping Let’s Encrypt for 1 hour.
acme-mailcow_1 | Wed Nov 25 10:56:28 CST 2020 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.

diekuh

Can you post a few informations about your OS etc.? 🙂 Perhaps the output of iptables -L -vn, the OS etc.

xavier

diekuh
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic

3 vCPU
4096MB RAM
250GB HDD

iptables -L -vn
Chain INPUT (policy ACCEPT 197 packets, 25109 bytes)
pkts bytes target prot opt in out source destination
7080 1190K MAILCOW all – * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
87408 44M MAILCOW all – * * 0.0.0.0/0 0.0.0.0/0
87709 44M DOCKER-USER all – * * 0.0.0.0/0 0.0.0.0/0
87709 44M DOCKER-ISOLATION-STAGE-1 all – * * 0.0.0.0/0 0.0.0.0/0
74580 40M ACCEPT all – * br-mailcow 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
10407 683K DOCKER all – * br-mailcow 0.0.0.0/0 0.0.0.0/0
2722 2832K ACCEPT all – br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
10344 679K ACCEPT all – br-mailcow br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all – * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – docker0 docker0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 247 packets, 31283 bytes)
pkts bytes target prot opt in out source destination

Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp – !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.5 tcp dpt:8983
0 0 ACCEPT tcp – !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.249 tcp dpt:6379
6 300 ACCEPT tcp – !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.11 tcp dpt:443
47 2412 ACCEPT tcp – !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.11 tcp dpt:80
0 0 ACCEPT tcp – !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.8 tcp dpt:3306
3 152 ACCEPT tcp – !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.10 tcp dpt:587
0 0 ACCEPT tcp – !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.10 tcp dpt:465
0 0 ACCEPT tcp – !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.10 tcp dpt:25
0 0 ACCEPT tcp – !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:12345
0 0 ACCEPT tcp – !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:4190
0 0 ACCEPT tcp – !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:995
0 0 ACCEPT tcp – !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:993
0 0 ACCEPT tcp – !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:143
0 0 ACCEPT tcp – !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:110

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
2722 2832K DOCKER-ISOLATION-STAGE-2 all – br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all – docker0 !docker0 0.0.0.0/0 0.0.0.0/0
87709 44M RETURN all – * * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all – * br-mailcow 0.0.0.0/0 0.0.0.0/0
0 0 DROP all – * docker0 0.0.0.0/0 0.0.0.0/0
2722 2832K RETURN all – * * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
87709 44M RETURN all – * * 0.0.0.0/0 0.0.0.0/0

Chain MAILCOW (2 references)
pkts bytes target prot opt in out source destination

diekuh

Can you check the gateway/firewall in front?

xavier

Its a paid-hosted VM. I can access the internet from the machine and I can access it from outside, i.e. the mailcow admin website. As far as I know they don’t have a firewall in front of it.

They might have DDOS protection but I don’t that would interfere with this.

ed109

Hi there,

I have the exact same issue on a fresh and up to date install, no firewall. @xavier, did you find any solution?

Here is the logs of mailcowdockerized_acme-mailcow_1:

Sun Feb 21 17:56:43 CET 2021 - Detecting IP addresses...
Sun Feb 21 17:57:05 CET 2021 - OK: AAAA.BBBB.CCCC.DDDD, 0000:0000:0000:0000:0000:0000:0000:0000
Sun Feb 21 17:57:09 CET 2021 - Found AAAA record for mail.example.com: XXXX:YYYY:ZZZZ:000::1111 - skipping A record check
Sun Feb 21 17:57:09 CET 2021 - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname mail.example.com (DNS returned XXXX:YYYY:ZZZZ:000::1111)
Sun Feb 21 17:57:09 CET 2021 - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour.
Sun Feb 21 17:57:09 CET 2021 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.
OK

Please note AAAA.BBBB.CCCC.DDDD is the correct IPv4 of my server and XXXX:YYYY:ZZZZ:000::1111 is its correct IPv6.

So it appears the local IPv6 detection isn’t working as expected (0000:0000:0000:0000:0000:0000:0000:0000 is obviously wrong). IPv4 detection works fine:
Sun Feb 21 17:57:05 CET 2021 - OK: AAAA.BBBB.CCCC.DDDD, 0000:0000:0000:0000:0000:0000:0000:0000

As @xavier, everything else works just fine.

The issue has been reported on Github as well but without a fix: mailcow/mailcow-dockerized3897

For the record:

$ uname -a
Linux xxxxx 4.19.0-14-cloud-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux

$ sudo iptables -L -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
34358   13M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
34358   13M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
28295   11M ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 2519  157K DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
 3544 1554K ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
 2511  156K ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.3           tcp dpt:8983
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:3306
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.12          tcp dpt:587
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
    2   100 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.12          tcp dpt:465
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    1    60 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.12          tcp dpt:25
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
    3   160 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.13          tcp dpt:443
    2   100 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.13          tcp dpt:80
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:5443
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:5269
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:5222

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3544 1554K DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
68130   33M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
 8708 7140K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
68130   33M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
# Warning: iptables-legacy tables present, use iptables-legacy to see them

ed109

Fixed: https://docs.ovh.com/gb/en/vps/configuring-ipv6/ ¯_(ツ)_/¯