Matthai

  • Oct 28, 2022
  • Joined Feb 10, 2022
  • 5 discussions
  • 11 posts
  • 1 best answer
  • Post posted... wait what? You got the answer!
  • Actually this is weird.

    In mailcow.conf I have just:

    MAILCOW_HOSTNAME=mail.my-main-domain.mk

    and ADDITIONAL_SAN= (is empty). No reference to my secondary domain…

  • I was also thinking of that.
    But how to do that? I can not see any reference of my-second-domain.si in config files… (in /opt/mailcow-dockerized).

  • So, my SSL certificate expired and unfortunately it is not updated automatically. What I did:

    • ssh to my server
    • sudo su
    • cd /opt/mailcow-dockerized
    • docker-compose restart acme-mailcow
    • docker-compose logs --tail=200 -f acme-mailcow

    And I see this:

    mailcowdockerized-acme-mailcow-1  | Found domains: mail.my-main-domain.mk, autodiscover.my-main-domain.mk, autoconfig.my-main-domain.mk, autodiscover.my-second-domain.si, autoconfig.my-second-domain.si
    mailcowdockerized-acme-mailcow-1  | Getting directory...
    mailcowdockerized-acme-mailcow-1  | Directory found!
    mailcowdockerized-acme-mailcow-1  | Registering account...
    mailcowdockerized-acme-mailcow-1  | Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/xxx
    mailcowdockerized-acme-mailcow-1  | Creating new order...
    mailcowdockerized-acme-mailcow-1  | Order created!
    mailcowdockerized-acme-mailcow-1  | Already verified: autoconfig.my-main-domain.mk, skipping...
    mailcowdockerized-acme-mailcow-1  | Already verified: autodiscover.my-main-domain.mk, skipping...
    mailcowdockerized-acme-mailcow-1  | Verifying autodiscover.my-second-domain.si...
    mailcowdockerized-acme-mailcow-1  | Traceback (most recent call last):
    mailcowdockerized-acme-mailcow-1  |   File "/usr/bin/acme-tiny", line 8, in <module>
    mailcowdockerized-acme-mailcow-1  |     sys.exit(main())
    mailcowdockerized-acme-mailcow-1  |   File "/usr/lib/python3.10/site-packages/acme_tiny.py", line 195, in main
    mailcowdockerized-acme-mailcow-1  |     signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
    mailcowdockerized-acme-mailcow-1  |   File "/usr/lib/python3.10/site-packages/acme_tiny.py", line 153, in get_crt
    mailcowdockerized-acme-mailcow-1  |     raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
    mailcowdockerized-acme-mailcow-1  | ValueError: Challenge did not pass for autodiscover.my-second-domain.si: {'identifier': {'type': 'dns', 'value': 'autodiscover.my-second-domain.si'}, 'status': 'invalid', 'expires': '2022-10-30T14:14:11Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': '91.xxx.xxx.xxx: Invalid response from https://my-second-domain.si/.well-known/acme-challenge/uCxxxxIY: "<!DOCTYPE html>\\n<html>\\n\\n<head>\\n\\t<meta charset=\\"utf-8\\">\\n\\t<meta http-equiv=\\"X-UA-Compatible\\" content=\\"IE=edge\\">\\n\\t<meta name=\\"viewp"', 'status': 403}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/xxx/xxx', 'token': 'uCxxxxIY', 'validationRecord': [{'url': 'http://autodiscover.my-second-domain.si/.well-known/acme-challenge/uCxxxxIY', 'hostname': 'autodiscover.my-second-domain.si', 'port': '80', 'addressesResolved': ['91.xxx.xxx.xxx'], 'addressUsed': '91.xxx.xxx.xxx'}, {'url': 'https://my-second-domain.si/.well-known/acme-challenge/uCxxxxIY', 'hostname': 'my-second-domain.si', 'port': '443', 'addressesResolved': ['91.xxx.xxx.xxx'], 'addressUsed': '91.xxx.xxx.xxx'}], 'validated': '2022-10-23T14:42:15Z'}]}
    mailcowdockerized-acme-mailcow-1  | Sun Oct 23 16:42:25 CEST 2022 - Failed to obtain certificate /var/lib/acme/mail.my-main-domain.mk/cert.pem for domains 'mail.my-main-domain.mk autoconfig.my-main-domain.mk autoconfig.my-second-domain.si autodiscover.my-main-domain.mk autodiscover.my-second-domain.si'
    mailcowdockerized-acme-mailcow-1  | OK
    mailcowdockerized-acme-mailcow-1  | Sun Oct 23 16:42:25 CEST 2022 - Some errors occurred, retrying in 30 minutes...
    mailcowdockerized-acme-mailcow-1  | OK

    One of the problems is, that I have entered (via web GUI) my-second-domain.si, however, this domain is not entered into DNS (actually, DNS for this domain point to another server. Unfortunately, I can not log in to the web GUI, because SSL cert is not valid and HSTS is enabled…

    But I think the main problem is, why mail.my-main-domain.mk does not get validated? in data/assets/ssl/mail.my-main-domain.mk I have cert.pem and key.pem which are valid through 2023. But it seems these files does not get copied to the correct place for acme-mailcow??

  • Hi,
    I have a mail server at domain mydomain.mk and now I would like to change it to newdomain.net. How to do that?

    I did this:
    First I log into the web UI as admin and added mail.newdomain.net under Configuration - Domains - Add domain.

    I also added DNS records for mail.newdomain.net through my internet registrar.

    Then I ssh-ed into the server and did this:

    cd /opt/mailcow-dockerized
    docker-compose down
    nano mailcow.conf

    Then I changed MAILCOW_HOSTNAME=mail.mydomain.mk to MAILCOW_HOSTNAME=mail.newdomain.net.

    Finally, I said docker-compose up -d.

    First problem. openssl x509 -in /opt/mailcow-dockerized/data/assets/ssl/cert.pem -text still says that Subject: CN = mail.mydomain.mk and not mail.newdomain.net.

    Another problem. I am using Nginx proxy, so I changed /etc/nginx/sites-enabled/default - server_name, but I left SSL directives the same:

    ssl_certificate /opt/mailcow-dockerized/data/assets/ssl/cert.pem;
    ssl_certificate_key /opt/mailcow-dockerized/data/assets/ssl/key.pem;

    Now, when I go to the web UI (https://mail.newdomain.net), web browser warns me, that the certificate issued is not correct (which is expected since openssl told me that Subject: CN = mail.mydomain.mk.

    However, how to go from one domain to another? Hopefully complete reinstall is not an option…

  • When I installed MailCow on my domain mail.myserver.com, I can access admin interface through
    https://mail.myserver.com/

    . Webmail (SoGo) login is available at https://mail.myserver.com/SOGo/
    mail.myserver.com
    https://mail.myserver.com/SOGo/
    Retrieving...
    .

    Now, I would like that when I go to https://mail.myserver.com/

    , I get webmail login, and that admin login would be available through let’s say https://mail.myserver.com/admin/
    mail.myserver.com
    https://mail.myserver.com/admin/
    Retrieving...
    .

    How to do that?

  • So, I have set up an account, for instance john.doe@mydomain.mk. Now I would like to add an alias for that mailbox, for instance john@mydomain.mk.

    How to do that?

    In Zimbra, you have a special field “aliases”, and you just add as many aliases as you like.

    So in my case, when mail is sent to john.doe@mydomain.mk or john@mydomain.mk, it will came to the same mailbox.

  • Hmm, now I did this way:

    • In mailcow.conf I set SKIP_IP_CHECK=y and SKIP_HTTP_VERIFICATION=y
    • restarted acme-mailcow, and certificates got signed
    • in mailcow.conf set SKIP_HTTP_VERIFICATION=n (back to n)
    • restarted acme-mailcow, but the error “HTTP validation failed” happened again
    • so I went back and in mailcow.conf set SKIP_HTTP_VERIFICATION=y

    I hope this is OK, otherwise I am afraid automatic renewal will not be working.

  • Yes, I found out this. However, in the documentation it is written that skipping the HTTP validation is not recommended. Why?

  • Additional info. I reinstalled everything from the scratch, and did not do the HTTPS redirection. I have the same setup as before (IPv6 disabled), and on port 80 I can see login page. However on 443 certificate is self signed, and logs keep saying that HTTP validation failed.

  • Actually, I figured out something, but got stuck on another problem…
    First, I disabled IPv6 according to documentation (because I don’t have it).

    Then I run these commands:

    cd /opt/mailcow-dockerized
    touch data/assets/ssl/force_renew
    docker-compose restart acme-mailcow

    When I run docker-compose logs --tail=200 -f acme-mailcow I get this error:

    acme-mailcow_1       | OK
    acme-mailcow_1       | Thu Feb 10 16:45:23 CET 2022 - Initializing, please wait...
    acme-mailcow_1       | Thu Feb 10 16:45:23 CET 2022 - Using existing domain rsa key /var/lib/acme/acme/key.pem
    acme-mailcow_1       | Thu Feb 10 16:45:23 CET 2022 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
    acme-mailcow_1       | Thu Feb 10 16:45:23 CET 2022 - Detecting IP addresses...
    acme-mailcow_1       | Thu Feb 10 16:45:32 CET 2022 - OK: 185.58.xxx.xxx, 0000:0000:0000:0000:0000:0000:0000:0000
    acme-mailcow_1       | Thu Feb 10 16:45:33 CET 2022 - Found A record for autodiscover.mydomain.mk: 185.58.xxx.xxx
    
    acme-mailcow_1       | Thu Feb 10 16:47:42 CET 2022 - Confirmed A record with IP 185.58.xxx.xxx, but HTTP validation failed
    acme-mailcow_1       | Thu Feb 10 16:47:42 CET 2022 - Found A record for autoconfig.mydomain.mk: 185.58.xxx.xxx
    acme-mailcow_1       | Thu Feb 10 16:49:53 CET 2022 - Confirmed A record with IP 185.58.xxx.xxx, but HTTP validation failed
    acme-mailcow_1       | Thu Feb 10 16:49:53 CET 2022 - Found A record for mail.mydomain.mk: 185.58.180.221
    acme-mailcow_1       | Thu Feb 10 16:52:04 CET 2022 - Confirmed A record with IP 185.58.xxx.xxx, but HTTP validation failed
    acme-mailcow_1       | Thu Feb 10 16:52:04 CET 2022 - Cannot validate any hostnames, skipping Let's Encrypt for 1 hour.
    acme-mailcow_1       | Thu Feb 10 16:52:04 CET 2022 - Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently.
    acme-mailcow_1       | OK

    Also, port 80 is accessible from outside, I can verify it with curl http://185.58.xxx.xxx or curl http://mail.mydomain.mk (the same is true for port 443).

    Any idea?

  • Hi,

    I just set up a fresh MailCow installation but unfortunately found out that my ISP was blocking ports 80 and 443 at the time. So Let’s Encrypt was unable to sign my certificates (I guess this is ACME module in MailCow).

    My question is - when my ISP removes the blocking - how can I re-run this module and get server’s certificates signed by Let’s Encrypt?

    Thanks.

    • Hmm, now I did this way:

      • In mailcow.conf I set SKIP_IP_CHECK=y and SKIP_HTTP_VERIFICATION=y
      • restarted acme-mailcow, and certificates got signed
      • in mailcow.conf set SKIP_HTTP_VERIFICATION=n (back to n)
      • restarted acme-mailcow, but the error “HTTP validation failed” happened again
      • so I went back and in mailcow.conf set SKIP_HTTP_VERIFICATION=y

      I hope this is OK, otherwise I am afraid automatic renewal will not be working.