ACME certificate has incorrect principal name

maiyannah

Mailcow’s ACME is creeating/requesting certificates with an incorrect principal name.

In this case, as an example, it is making the certificate for autoconfig.highlandarrow.com instead of mail.highlandarrow.com.

This causes most clients to reject it since this is NOT the MX domain.

I believe it is trying to create certificates which cover autoconfig.x autodiscover.x and mail.x - but it is ONLY having the autoconfig.x principal:

Kevo

Have you checked the logs to see what it is actually doing when checking/requesting the certificate? I haven’t noticed any issue with my system and it has multiple names it requests.

maiyannah

That’s where I get the idea it’s trying to request the multiple name certificate. It seems to request it properly, but LE is just giving it a certificate with the first name, and mailcow seems okay with it. (Mail clients, however, are not)

DocFraggle

maiyannah You somehow managed to add your IPv6 link local address to your IPv6 DNS entries…

# dig +short AAAA mail.highlandarrow.com
fe80::be24:11ff:fe55:cb5b

This address isn’t reachable from the internet, add your public IPv6 address! This may as well mess up the ACME container as it can reach itself via link local, but LE can’t reach you. Maybe on Saturday you had a working IPv4 only setup for autoconfig.highlandarrow.com, so it worked once and issued the current certificate

Kevo

And there’s no error from Let’s Encrypt in the logs? Just a successfully issued certificate for only one name? Seems odd. Not sure what to suggest if that’s the case. I’ve always received an error message when I’ve requested a cert for a name and it didn’t issue for some reason.

maiyannah

DocFraggle
Hmm, I don’t have any AAAA records on my end, but it could be the DNS service I’m using is trying to “helpfully” add them, I’ll check that. Thanks for the lead!

[edit]: Looking in the ACME history, it just doesn’t seem to be making the certificate for the mail.highlandarrow.com domain at all!

acme-mailcow-1  | Parsing account key...
acme-mailcow-1  | Parsing CSR...
acme-mailcow-1  | Found domains: autodiscover.highlandarrow.com, autoconfig.highlandarrow.com
acme-mailcow-1  | Getting directory...
acme-mailcow-1  | Directory found!
acme-mailcow-1  | Registering account...
acme-mailcow-1  | Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/2748021221
acme-mailcow-1  | Creating new order...
acme-mailcow-1  | Order created!
acme-mailcow-1  | Already verified: autoconfig.highlandarrow.com, skipping...
acme-mailcow-1  | Verifying autodiscover.highlandarrow.com...
acme-mailcow-1  | autodiscover.highlandarrow.com verified!
acme-mailcow-1  | Signing certificate...
acme-mailcow-1  | Certificate signed!
acme-mailcow-1  | Fri Apr 24 07:30:54 EDT 2026 - Deploying certificate /var/lib/acme/autoconfig.highlandarrow.com/cert.pem...
acme-mailcow-1  | Fri Apr 24 07:30:54 EDT 2026 - Verified hashes.
acme-mailcow-1  | Fri Apr 24 07:30:54 EDT 2026 - Certificate successfully obtained
acme-mailcow-1  | Fri Apr 24 07:30:54 EDT 2026 - Reloading or restarting services... (1)
acme-mailcow-1  | Reloading Nginx...
acme-mailcow-1  | Restarting c4febfb058d0267c14c57e0cba76fd1cfcae4acbd08e5ce00057c55eb6e45f09...
acme-mailcow-1  | command completed successfully
acme-mailcow-1  | Restarting 00cfe1f74a0adedbcdd6b3dcee860ed0419b55e4e7b8f1ae8941883d7b83612d...
acme-mailcow-1  | command completed successfully

Fixing the AAAA stuff, it gets autodiscover, autoconfig, etc but never even seems to try to do mail.highlandarrow.com despite that being the MX record:

# dig @8.8.8.8 +short MX highlandarrow.com
1 mail.highlandarrow.com.

What gives?

DocFraggle

maiyannah What’s your MAILCOW_HOSTNAME in mailcow.conf? Should be mail.highlandarrow.com

Kevo

When I checked yesterday your cert only listed autoconfig.highlandarrow.com.

This morning it shows both autoconfig and autodiscover. So whatever you fixed managed to get autodiscover onto the cert but not mail. Maybe one more go at it?

maiyannah

DocFraggle

Correct:

MAILCOW_HOSTNAME=mail.highlandarrow.com

DocFraggle

Can you please paste your mailcow.conf (without passwords of course)? I guess something messes things up

maiyannah

It looks like what happens is if any domain attached with the mailcow fails, acme fails entirely. I have four domains serving email (all with MX to mail.highlandarrow.com) and because one of them is unreachable to LetsEncrypt (despite being served on the same DNS service, and pointed at the same place), ACME is not generating any certificate at all.

This results in a failure state where every domain is a SPOF for the entire system.

Kevo

Are you able to elaborate on the failure mode. Seems like an odd situation with some other aspect involved given the only difference in the working domain and the non-working domain seems to be the name itself.

maiyannah

LetsEncrypt refuses to issue the certificate because DNS resolution fails for A and AAAA resolution on the autoconfig.[domain4] and autodiscover.[domain4] subdomains.

I am presuming it is requesting bundled certificates, but in any case, ACME aborts because of this:

acme-mailcow-1  |     raise ValueError("Challenge did not pass for {0}: {1}".for
mat(domain, authorization))
acme-mailcow-1  | ValueError: Challenge did not pass for autoconfig.vtelectronic                                                                                                                s.net: {'identifier': {'type': 'dns', 'value': 'autoconfig.vtelectronics.net'},                                                                                                                 'status': 'invalid', 'expires': '2026-05-07T13:10:40Z', 'challenges': [{'type':                                                                                                                 'http-01', 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall/2748021221/69                                                                                                                6280730205/VV-Z1Q', 'status': 'invalid', 'validated': '2026-04-30T13:10:41Z', 'e                                                                                                                rror': {'type': 'urn:ietf:params:acme:error:dns', 'detail': "During secondary va
lidation: DNS problem: SERVFAIL looking up A for autoconfig.vtelectronics.net -                                                                                                                 the domain's nameservers may be malfunctioning; DNS problem: query timed out loo
king up AAAA for autoconfig.vtelectronics.net", 'status': 400}, 'token': 'Vr6ExZ
8MsSdWTNGSSvTHt8uakjYhENosW5S2vdDEeKY', 'validationRecord': [{'url': 'http://aut
oconfig.vtelectronics.net/.well-known/acme-challenge/Vr6ExZ8MsSdWTNGSSvTHt8uakjY
hENosW5S2vdDEeKY', 'hostname': 'autoconfig.vtelectronics.net', 'port': '80', 'ad
dressesResolved': ['38.143.59.204'], 'addressUsed': '38.143.59.204'}]}]}
acme-mailcow-1  | Thu Apr 30 09:11:15 EDT 2026 - Failed to obtain certificate /v
ar/lib/acme/mail.highlandarrow.com/cert.pem for domains 'mail.highlandarrow.com
autoconfig.highlandarrow.com autoconfig.vtelectronics.net autodiscover.highlanda
rrow.com autodiscover.vtelectronics.net'

This is why bundling certificate CNs can be a bad idea, incidentally.

This failure state is kind of nasty; it means if ACME fails for a single domain on a mailcow install with many, the entire setup is hosed.

Secondary validation errors have been reported frequently to LetsEncrypt on their own forums since about mid December, they seem to completely shift the blame onto all the people having problems, rather than reconsidering their own setup. In my own case, the DNS service for all four domains (highlandarrow.com, housestuart.com, toud.pw, vtelectronics.net) are all provided by EasyDNS on their professional level. The other three domains seem fine. I had their support look at their records, and reset and republish the domain, but it seems fine, and resetting it did not accomplish the result.

What we did for now is force a redirect of AAAA queries to return A records, but that’s not how DNS is supposed to function, and it is not RFC compliant. It’s the workaround that worked though.

Going forward Mailcow should consider two things:

1] Allow alternative ACME providers such as Comodo or ZeroSSL through ACME,
and
2] Do not bundle the certificate common names in such way that failure of one domain’s resolution causes the entire service to become unstable,
or,
2b] Use selective fallbacks combinations to exclude the domains the secondary validation is failing for; autoconfiguration and autodiscovery are not vital functions which should result in a complete service failure if the certificate cannot be provisioned for them.