ACME Certs not refreshing

Asynchronite

Hello.
It’s 3 AM and I’ve been trying to figure out for 6 hours but essentially I am running mailcow behind nginx, and whenever acme wants to refresh the certs it throws an error.
acme-mailcow-1 | Creating new order... acme-mailcow-1 | Order created! acme-mailcow-1 | Verifying autoconfig.astrohweston.xyz... acme-mailcow-1 | Traceback (most recent call last): acme-mailcow-1 | File "/usr/bin/acme-tiny", line 8, in <module> acme-mailcow-1 | sys.exit(main()) acme-mailcow-1 | ^^^^^^ acme-mailcow-1 | File "/usr/lib/python3.12/site-packages/acme_tiny.py", line 195, in main acme-mailcow-1 | signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port) acme-mailcow-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ acme-mailcow-1 | File "/usr/lib/python3.12/site-packages/acme_tiny.py", line 153, in get_crt acme-mailcow-1 | raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization)) acme-mailcow-1 | ValueError: Challenge did not pass for autoconfig.astrohweston.xyz: {'identifier': {'type': 'dns', 'value': 'autoconfig.astrohweston.xyz'}, 'status': 'invalid', 'expires': '2025-05-27T00:55:19Z', 'challenges': [{'type': 'http-01', 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall/2409217697/522903696827/7uB0Tg', 'status': 'invalid', 'validated': '2025-05-20T00:55:21Z', 'error': {'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': '2a01:4f9:c012:7f05::1: Invalid response from http://autoconfig.astrohweston.xyz/.well-known/acme-challenge/IY-BAlkU4pvwNcf3HNO1Y2UUXi5Rn9Xbq_-8wloVSG0: 404', 'status': 403}, 'token': 'IY-BAlkU4pvwNcf3HNO1Y2UUXi5Rn9Xbq_-8wloVSG0', 'validationRecord': [{'url': 'http://autoconfig.astrohweston.xyz/.well-known/acme-challenge/IY-BAlkU4pvwNcf3HNO1Y2UUXi5Rn9Xbq_-8wloVSG0', 'hostname': 'autoconfig.astrohweston.xyz', 'port': '80', 'addressesResolved': ['65.21.157.66', '2a01:4f9:c012:7f05::1'], 'addressUsed': '2a01:4f9:c012:7f05::1'}]}]} acme-mailcow-1 | Tue May 20 02:55:22 CEST 2025 - Failed to obtain certificate /var/lib/acme/mail.astrohweston.xyz/cert.pem for domains 'mail.astrohweston.xyz autoconfig.astrohweston.xyz autodiscover.astrohweston.xyz'

I tried turning off http to https in the mailcow config, didn’t work.
Now that error that I presented is only there because I switched SKIP_IP_CHECK and SKIP_HTTP_VERIFICATION to y. When they’re at n, then that error doesn’t get thrown, but rather something like this:

(Ignore maxinautika, we’re only focusing on astrohweston at the moment)

Any help that I can get? Please?

esackbauer

Asynchronite Failed to obtain certificate /var/lib/acme/mail.astrohweston.xyz/cert.pem for domains ‘mail.astrohweston.xyz autoconfig.astrohweston.xyz autodiscover.astrohweston.xyz’

Well, it says pretty clear what the problem is.
Make sure that you have set up your DNS records properly, you have none for autoconfig and autodiscover:
https://docs.mailcow.email/getstarted/prerequisite-dns/#the-minimal-dns-configuration

Asynchronite

esackbauer Hey!
The DNS configuration is fine. Opening up the web ui and sending mail is not an issue. I used to use a custom nginx configuration, and ever since I switched to the one in the docs it kept erroring for self signed certificates.
When ACME tried to get a new cert that gets thrown.
I am confident my dns records are okay, you can check for the domain astrohweston.xyz

esackbauer

Asynchronite The DNS configuration is fine.

No it is not:

Please check again the minimum DNS configuration! it is not sufficient to have only mail.yourdomain.com!

Asynchronite

esackbauer Hey, thank you for the swift response!
The guide mentions how the autoconfig and autodiscover have to have CNAME records. I have those records in place.
See: https://docs.mailcow.email/getstarted/prerequisite-dns/#the-minimal-dns-configuration

esackbauer

Ah ok I could locate the records now on my DNS server. However strange that mxtoolbox is not able to resolve autodiscover address.
As Acme client tries to do it with IPv6 are you sure that your nginx reverse proxy is properly configured to answer IPv6 requests?

Asynchronite

esackbauer Hey!
My Nginx config is the exact same like the one in the docs.
From what I can see, it is able to handle ipv6 requests.
I have also changed it to match my domain name. As for the SSL cert, this is my SSL certificate at the moment that ACME is trying to refresh, but can’t due to god knows what.

I did notice, however, that after disabling ip checks and http checks, and it passes the initial checks, it does throw another error (The one in the codeblock I sent in the OP). THere’s a ling in there, specifically, https://acme-v02.api.letsencrypt.org/acme/chall/2409217697/523174864227/eefQ-Q, which says how it tried GETting an acme challenge and the server returned a 403. When I go to the URL it was trying I get a 404, and if I go to the HTTPS version of it, I get a 400 due to it being an HTTP port apparently.

I did notice, however, that after disabling ip checks and http checks, and it passes the initial checks, it does throw another error (The one in the codeblock I sent in the OP). There’s a line in there, which says how it tried GETting an acme challenge and the server returned a 403. When I go to the URL it was trying I get a 404, and if I go to the HTTPS version of it, I get a 400 due to it being an HTTP port apparently.

Now, what is supposed to be served to the CA when that acme request is made? How does mailcow handle serving that?

Apologies for the spam. The website kept saying oops something went wrong without visually updating that I was posting the same reply over and over.

Asynchronite

esackbauer
I have a question.
When it goes to .well-known/acme-challenge, what is mailcow supposed to do then? How does this get handled? On what port?
Maybe by knowing that I can narrow the issue down.

bradselph

So I’m not the only one having issues all of a sudden with this. I even made sure my cloudflare wasn’t issuing certificates, and ACME still doesn’t seem to be refreshing. The initial setup worked fine, but now it doesn’t seem to refresh. It currently seems like half of the pages/directories load fine, while the other half throw an insecure warning.

timgjr

bradselph Yes, exact same issue. I don’t have IP6 though, that’s disabled.

I am noticing a theme of us all being at Cloudflare though? could that be something? I have all proxy stuff off.

bradselph

Honestly, No, It came down to the rate at which i was forcing the refresh.