ACME Additional SAN issues (and workaround) after recent update

Gebemsea

I have a number of simple and wildcard host-names in my ADDITIONAL_SAN setting, e.g.
ADDITIONAL_SAN=hass.mydomain.tld,imap.*,smtp.*,docker.mydomain.tld,wine.mydomain.tld,stratus.mydomain.tld
ACME was getting certs fine.
I updated my Mailcow a week ago, and regularly since ; this pulled in the XMPP additions
Since then I needed new certs ans ACME failed to pull new certs with errors like:
acme-mailcow_1 | Verifying imap.mydomain.tld... acme-mailcow_1 | Traceback (most recent call last): acme-mailcow_1 | File "/usr/bin/acme-tiny", line 8, in <module> acme-mailcow_1 | sys.exit(main()) acme-mailcow_1 | File "/usr/lib/python3.8/site-packages/acme_tiny.py", line 194, in main acme-mailcow_1 | signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact) acme-mailcow_1 | File "/usr/lib/python3.8/site-packages/acme_tiny.py", line 149, in get_crt acme-mailcow_1 | raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization)) acme-mailcow_1 | ValueError: Challenge did not pass for imap.mydomain.tld: {'identifier': {'type': 'dns', 'value': 'imap.mydomain.tld'}, 'status': 'invalid', 'expires': '2021-02-23T19:55:39Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': 'Invalid response from http://imap.mydomain.tld/.well-known/acme-challenge/xEg4JcgSGfI4QBzEJ3BB99wJwKjk9QYZ7CHYY-AjGSU [86.20.75.195]: 404', 'status': 403}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/10924494549/kLiurg', 'token': 'xEg4JcgSGfI4QBzEJ3BB99wJwKjk9QYZ7CHYY-AjGSU', 'validationRecord': [{'url': 'http://imap.mydomain.tld/.well-known/acme-challenge/xEg4JcgSGfI4QBzEJ3BB99wJwKjk9QYZ7CHYY-AjGSU', 'hostname': 'imap.mydomain.tld', 'port': '80', 'addressesResolved': ['86.20.75.195'], 'addressUsed': '86.20.75.195'}]}]} acme-mailcow_1 | Sun Feb 21 05:54:27 GMT 2021 - Failed to obtain certificate /var/lib/acme/mailcw.mydomain.tld/cert.pem for domains 'mailcw.mydomain.tld autoconfig.mydomain.tld autoconfig.myotherdomain.tld autodiscover.mydomain.tld autodiscover.myotherdomain.tld imap.mydomain.tld''
Emergency workaround
I made ADDITIONAL_SAN a null string, and mailcow-acme got the basic certs ok - phew!
Current Workaround
After lots of trial and error (and messing with my DNS and network - just in case), I found I can get certs for additional SANs if I add explicit names to ADDITIONAL_SERVER_NAMES , e.g.
ADDITIONAL_SAN=hass.mydomain.tld,imap.mydomain.tld,smtp.mydomain.tld ADDITIONAL_SERVER_NAMES=hass.mydomain.tld,imap.mydomain.tld,smtp.mydomain.tld

Does anyone know if it is now a requirement to add all additional sans to additional server names? What about wildcard SANs?

Happy to raise an issue in github, just wanted to check I’m not missing something first. Anyone got any thoughts?

TheLimey

I had mail.*,old.server.name as my ADDITIONAL_SAN value …old.server.name isn’t the real value!

Thankfully this post led me in the right direction of moving the old.server.name part to ADDITIONAL_SERVER_NAMES which stopped it putting out certificates with just that as the server name.

diekuh

🙂

TheLimey

Well, turns out I was incorrect. The ADDITIONAL_SERVER_NAMES value was ignored, and my old.server.name wasn’t in the certificate at all. I mooved the old.server.name back to ADDITIONAL_SAN (where it was before, except this time before mail.*, rather than after) and forced a certificate renewal (see below) and it generated the certificate correctly again. Weird.

The documentation of ADDITIONAL_SERVER_NAMES is vague and not terribly helpful, so I’m unclear what exactly it should do, but on that page (https://mailcow.github.io/mailcow-dockerized-docs/firststeps-ssl/) I found out how to force the renewal of the certificates:

cd /opt/mailcow-dockerized
touch data/assets/ssl/force_renew
docker-compose restart acme-mailcow
# Now check the logs for a renewal
docker-compose logs --tail=200 -f acme-mailcow