Foxly how do you solve the problem?
Well, I found a workaround, I added SKIP_HTTP_VERIFICATION=y
to mailcow.conf
(ensure that this line is not overridden by another non-commented out SKIP_HTTP_VERIFICATION=
line that turns it back off or something).
This skips the HTTP verification of each domain, as the variable name suggests.
It caused some other temporary issues as some domains that were not reachable by HTTP were not passing by ACME client/Let’s Encrypt instead.
The underlying issue is not completely resolved yet, but I need to prevent this from happening again. This became noticeable after updating the mail server by using update.sh
. It happened to me last year, now this year:
mailcow/mailcow-dockerized4031
nginx
currently doesn’t listen also on the IPv6
address of the mail server, only on the IPv4
address.
This was pointed out in this GitHub issue discussion:
mailcow/mailcow-dockerized2632
As the mailcow
acme
service script validates HTTP over IPv6
and nginx
is not listening on IPv6
,
the validation fails and the domain is not added - even not the FQDN of the mail server - which was the main issue for me.
There are two other issues that surfaced while troubleshooting/finding a workaround for this:
- Just restarting the
docker compose
setup isn’t enough to make mailcow
use the new acme
/Let's Encrypt
-related settings. I had to invoke ./update.sh
(with no new updates applied as already all updates had been installed) to make it use the new configuration.
- I wasn’t able to force
mailcow
acme
to use only a subset of those domains, it tried to automatically use all domains - which crept towards the SAN limit of 100. Luckily it staid below in the end and Let’s Encrypt signed the mail server certificate.