Actually this is weird.
In mailcow.conf
I have just:
MAILCOW_HOSTNAME=mail.my-main-domain.mk
and ADDITIONAL_SAN=
(is empty). No reference to my secondary domain…
Actually this is weird.
In mailcow.conf
I have just:
MAILCOW_HOSTNAME=mail.my-main-domain.mk
and ADDITIONAL_SAN=
(is empty). No reference to my secondary domain…
I was also thinking of that.
But how to do that? I can not see any reference of my-second-domain.si
in config files… (in /opt/mailcow-dockerized
).
So, my SSL certificate expired and unfortunately it is not updated automatically. What I did:
sudo su
cd /opt/mailcow-dockerized
docker-compose restart acme-mailcow
docker-compose logs --tail=200 -f acme-mailcow
And I see this:
mailcowdockerized-acme-mailcow-1 | Found domains: mail.my-main-domain.mk, autodiscover.my-main-domain.mk, autoconfig.my-main-domain.mk, autodiscover.my-second-domain.si, autoconfig.my-second-domain.si
mailcowdockerized-acme-mailcow-1 | Getting directory...
mailcowdockerized-acme-mailcow-1 | Directory found!
mailcowdockerized-acme-mailcow-1 | Registering account...
mailcowdockerized-acme-mailcow-1 | Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/xxx
mailcowdockerized-acme-mailcow-1 | Creating new order...
mailcowdockerized-acme-mailcow-1 | Order created!
mailcowdockerized-acme-mailcow-1 | Already verified: autoconfig.my-main-domain.mk, skipping...
mailcowdockerized-acme-mailcow-1 | Already verified: autodiscover.my-main-domain.mk, skipping...
mailcowdockerized-acme-mailcow-1 | Verifying autodiscover.my-second-domain.si...
mailcowdockerized-acme-mailcow-1 | Traceback (most recent call last):
mailcowdockerized-acme-mailcow-1 | File "/usr/bin/acme-tiny", line 8, in <module>
mailcowdockerized-acme-mailcow-1 | sys.exit(main())
mailcowdockerized-acme-mailcow-1 | File "/usr/lib/python3.10/site-packages/acme_tiny.py", line 195, in main
mailcowdockerized-acme-mailcow-1 | signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
mailcowdockerized-acme-mailcow-1 | File "/usr/lib/python3.10/site-packages/acme_tiny.py", line 153, in get_crt
mailcowdockerized-acme-mailcow-1 | raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
mailcowdockerized-acme-mailcow-1 | ValueError: Challenge did not pass for autodiscover.my-second-domain.si: {'identifier': {'type': 'dns', 'value': 'autodiscover.my-second-domain.si'}, 'status': 'invalid', 'expires': '2022-10-30T14:14:11Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': '91.xxx.xxx.xxx: Invalid response from https://my-second-domain.si/.well-known/acme-challenge/uCxxxxIY: "<!DOCTYPE html>\\n<html>\\n\\n<head>\\n\\t<meta charset=\\"utf-8\\">\\n\\t<meta http-equiv=\\"X-UA-Compatible\\" content=\\"IE=edge\\">\\n\\t<meta name=\\"viewp"', 'status': 403}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/xxx/xxx', 'token': 'uCxxxxIY', 'validationRecord': [{'url': 'http://autodiscover.my-second-domain.si/.well-known/acme-challenge/uCxxxxIY', 'hostname': 'autodiscover.my-second-domain.si', 'port': '80', 'addressesResolved': ['91.xxx.xxx.xxx'], 'addressUsed': '91.xxx.xxx.xxx'}, {'url': 'https://my-second-domain.si/.well-known/acme-challenge/uCxxxxIY', 'hostname': 'my-second-domain.si', 'port': '443', 'addressesResolved': ['91.xxx.xxx.xxx'], 'addressUsed': '91.xxx.xxx.xxx'}], 'validated': '2022-10-23T14:42:15Z'}]}
mailcowdockerized-acme-mailcow-1 | Sun Oct 23 16:42:25 CEST 2022 - Failed to obtain certificate /var/lib/acme/mail.my-main-domain.mk/cert.pem for domains 'mail.my-main-domain.mk autoconfig.my-main-domain.mk autoconfig.my-second-domain.si autodiscover.my-main-domain.mk autodiscover.my-second-domain.si'
mailcowdockerized-acme-mailcow-1 | OK
mailcowdockerized-acme-mailcow-1 | Sun Oct 23 16:42:25 CEST 2022 - Some errors occurred, retrying in 30 minutes...
mailcowdockerized-acme-mailcow-1 | OK
One of the problems is, that I have entered (via web GUI) my-second-domain.si, however, this domain is not entered into DNS (actually, DNS for this domain point to another server. Unfortunately, I can not log in to the web GUI, because SSL cert is not valid and HSTS is enabled…
But I think the main problem is, why mail.my-main-domain.mk does not get validated? in data/assets/ssl/mail.my-main-domain.mk
I have cert.pem and key.pem which are valid through 2023. But it seems these files does not get copied to the correct place for acme-mailcow
??
Hi,
I have a mail server at domain mydomain.mk and now I would like to change it to newdomain.net. How to do that?
I did this:
First I log into the web UI as admin and added mail.newdomain.net under Configuration
- Domains
- Add domain
.
I also added DNS records for mail.newdomain.net through my internet registrar.
Then I ssh-ed into the server and did this:
cd /opt/mailcow-dockerized
docker-compose down
nano mailcow.conf
Then I changed MAILCOW_HOSTNAME=mail.mydomain.mk
to MAILCOW_HOSTNAME=mail.newdomain.net
.
Finally, I said docker-compose up -d
.
First problem. openssl x509 -in /opt/mailcow-dockerized/data/assets/ssl/cert.pem -text
still says that Subject: CN = mail.mydomain.mk
and not mail.newdomain.net
.
Another problem. I am using Nginx proxy, so I changed /etc/nginx/sites-enabled/default
- server_name
, but I left SSL directives the same:
ssl_certificate /opt/mailcow-dockerized/data/assets/ssl/cert.pem;
ssl_certificate_key /opt/mailcow-dockerized/data/assets/ssl/key.pem;
Now, when I go to the web UI (https://mail.newdomain.net
), web browser warns me, that the certificate issued is not correct (which is expected since openssl told me that Subject: CN = mail.mydomain.mk
.
However, how to go from one domain to another? Hopefully complete reinstall is not an option…
So, I have set up an account, for instance john.doe@mydomain.mk. Now I would like to add an alias for that mailbox, for instance john@mydomain.mk.
How to do that?
In Zimbra, you have a special field “aliases”, and you just add as many aliases as you like.
So in my case, when mail is sent to john.doe@mydomain.mk or john@mydomain.mk, it will came to the same mailbox.
Hmm, now I did this way:
mailcow.conf
I set SKIP_IP_CHECK=y
and SKIP_HTTP_VERIFICATION=y
acme-mailcow
, and certificates got signedmailcow.conf
set SKIP_HTTP_VERIFICATION=n
(back to n)acme-mailcow
, but the error “HTTP validation failed” happened againmailcow.conf
set SKIP_HTTP_VERIFICATION=y
I hope this is OK, otherwise I am afraid automatic renewal will not be working.
Yes, I found out this. However, in the documentation it is written that skipping the HTTP validation is not recommended. Why?
Additional info. I reinstalled everything from the scratch, and did not do the HTTPS redirection. I have the same setup as before (IPv6 disabled), and on port 80 I can see login page. However on 443 certificate is self signed, and logs keep saying that HTTP validation failed.
Actually, I figured out something, but got stuck on another problem…
First, I disabled IPv6 according to documentation (because I don’t have it).
Then I run these commands:
cd /opt/mailcow-dockerized
touch data/assets/ssl/force_renew
docker-compose restart acme-mailcow
When I run docker-compose logs --tail=200 -f acme-mailcow
I get this error:
acme-mailcow_1 | OK
acme-mailcow_1 | Thu Feb 10 16:45:23 CET 2022 - Initializing, please wait...
acme-mailcow_1 | Thu Feb 10 16:45:23 CET 2022 - Using existing domain rsa key /var/lib/acme/acme/key.pem
acme-mailcow_1 | Thu Feb 10 16:45:23 CET 2022 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
acme-mailcow_1 | Thu Feb 10 16:45:23 CET 2022 - Detecting IP addresses...
acme-mailcow_1 | Thu Feb 10 16:45:32 CET 2022 - OK: 185.58.xxx.xxx, 0000:0000:0000:0000:0000:0000:0000:0000
acme-mailcow_1 | Thu Feb 10 16:45:33 CET 2022 - Found A record for autodiscover.mydomain.mk: 185.58.xxx.xxx
acme-mailcow_1 | Thu Feb 10 16:47:42 CET 2022 - Confirmed A record with IP 185.58.xxx.xxx, but HTTP validation failed
acme-mailcow_1 | Thu Feb 10 16:47:42 CET 2022 - Found A record for autoconfig.mydomain.mk: 185.58.xxx.xxx
acme-mailcow_1 | Thu Feb 10 16:49:53 CET 2022 - Confirmed A record with IP 185.58.xxx.xxx, but HTTP validation failed
acme-mailcow_1 | Thu Feb 10 16:49:53 CET 2022 - Found A record for mail.mydomain.mk: 185.58.180.221
acme-mailcow_1 | Thu Feb 10 16:52:04 CET 2022 - Confirmed A record with IP 185.58.xxx.xxx, but HTTP validation failed
acme-mailcow_1 | Thu Feb 10 16:52:04 CET 2022 - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour.
acme-mailcow_1 | Thu Feb 10 16:52:04 CET 2022 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.
acme-mailcow_1 | OK
Also, port 80 is accessible from outside, I can verify it with curl http://185.58.xxx.xxx
or curl http://mail.mydomain.mk
(the same is true for port 443).
Any idea?
Hi,
I just set up a fresh MailCow installation but unfortunately found out that my ISP was blocking ports 80 and 443 at the time. So Let’s Encrypt was unable to sign my certificates (I guess this is ACME module in MailCow).
My question is - when my ISP removes the blocking - how can I re-run this module and get server’s certificates signed by Let’s Encrypt?
Thanks.