Cannot generate certificate for the mail server and domains #5710

eakteam · 2024-02-07T03:41:08Z

Contribution guidelines

I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
... I have understood that answers are voluntary and community-driven, and not commercial support.
... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

I have tried many options but none of them succeed.

Logs:

acme-mailcow-1  | 2024-02-07T03:26:44.884461009Z Wed Feb  7 03:26:44 UTC 2024 - Waiting for Docker API...
acme-mailcow-1  | 2024-02-07T03:26:44.889801069Z Wed Feb  7 03:26:44 UTC 2024 - Docker API OK
acme-mailcow-1  | 2024-02-07T03:26:44.894549561Z Wed Feb  7 03:26:44 UTC 2024 - Waiting for Postfix...
acme-mailcow-1  | 2024-02-07T03:26:44.899584557Z Wed Feb  7 03:26:44 UTC 2024 - Postfix OK
acme-mailcow-1  | 2024-02-07T03:26:44.903322292Z Wed Feb  7 03:26:44 UTC 2024 - Waiting for Dovecot...
acme-mailcow-1  | 2024-02-07T03:26:44.908192572Z Wed Feb  7 03:26:44 UTC 2024 - Dovecot OK
acme-mailcow-1  | 2024-02-07T03:26:44.934128091Z Wed Feb  7 03:26:44 UTC 2024 - Waiting for database...
acme-mailcow-1  | 2024-02-07T03:26:44.941868676Z Wed Feb  7 03:26:44 UTC 2024 - Database OK
acme-mailcow-1  | 2024-02-07T03:26:44.946148245Z Wed Feb  7 03:26:44 UTC 2024 - Waiting for Nginx...
acme-mailcow-1  | 2024-02-07T03:26:44.954395504Z Wed Feb  7 03:26:44 UTC 2024 - Nginx OK
acme-mailcow-1  | 2024-02-07T03:26:44.958481640Z Wed Feb  7 03:26:44 UTC 2024 - Waiting for resolver...
acme-mailcow-1  | 2024-02-07T03:26:44.987465466Z Wed Feb  7 03:26:44 UTC 2024 - Resolver OK
acme-mailcow-1  | 2024-02-07T03:26:44.991715533Z Wed Feb  7 03:26:44 UTC 2024 - Waiting for domain table...
acme-mailcow-1  | 2024-02-07T03:26:45.025901943Z OK
acme-mailcow-1  | 2024-02-07T03:26:45.030362607Z Wed Feb  7 03:26:45 UTC 2024 - Initializing, please wait...
acme-mailcow-1  | 2024-02-07T03:26:45.182615385Z Wed Feb  7 03:26:45 UTC 2024 - Using existing domain rsa key /var/lib/acme/acme/key.pem
acme-mailcow-1  | 2024-02-07T03:26:45.186814481Z Wed Feb  7 03:26:45 UTC 2024 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
acme-mailcow-1  | 2024-02-07T03:26:45.192182264Z Wed Feb  7 03:26:45 UTC 2024 - Detecting IP addresses...
acme-mailcow-1  | 2024-02-07T03:27:05.135398087Z Wed Feb  7 03:27:05 UTC 2024 - OK: 94.130.***.***, 0000:0000:0000:0000:0000:0000:0000:0000
acme-mailcow-1  | 2024-02-07T03:27:08.240391779Z Wed Feb  7 03:27:08 UTC 2024 - Found A record for mail.example2.com: 94.130.***.***
acme-mailcow-1  | 2024-02-07T03:27:08.243921248Z (skipping check, returning 0)
acme-mailcow-1  | 2024-02-07T03:27:08.244715430Z Wed Feb  7 03:27:08 UTC 2024 - Confirmed A record 94.130.***.***
acme-mailcow-1  | 2024-02-07T03:27:08.322631354Z Wed Feb  7 03:27:08 UTC 2024 - No A or AAAA record found for hostname autodiscover.example2.com
acme-mailcow-1  | 2024-02-07T03:27:09.925344598Z Wed Feb  7 03:27:09 UTC 2024 - No A or AAAA record found for hostname autoconfig.example2.com
acme-mailcow-1  | 2024-02-07T03:27:10.773768371Z Wed Feb  7 03:27:10 UTC 2024 - Found AAAA record for mail.example.com: 2a06:98c1:3120::3 - skipping A record check
acme-mailcow-1  | 2024-02-07T03:27:10.788159506Z Wed Feb  7 03:27:10 UTC 2024 - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname mail.example.com (DNS returned 2a06:98c1:3120:0000:0000:0000:0000:0003)
acme-mailcow-1  | 2024-02-07T03:27:10.859053719Z Wed Feb  7 03:27:10 UTC 2024 - No A or AAAA record found for hostname autodiscover.example.com
acme-mailcow-1  | 2024-02-07T03:27:12.443101282Z Wed Feb  7 03:27:12 UTC 2024 - No A or AAAA record found for hostname autoconfig.example.com
acme-mailcow-1  | 2024-02-07T03:27:14.805407376Z Wed Feb  7 03:27:14 UTC 2024 - Found A record for server.example.com: 94.130.***.***
acme-mailcow-1  | 2024-02-07T03:27:14.809259789Z (skipping check, returning 0)
acme-mailcow-1  | 2024-02-07T03:27:14.809955374Z Wed Feb  7 03:27:14 UTC 2024 - Confirmed A record 94.130.***.***
acme-mailcow-1  | 2024-02-07T03:27:14.818224099Z Wed Feb  7 03:27:14 UTC 2024 - Certificate /var/lib/acme/server.example.com/cert.pem missing or changed domains 'server.example.com mail.example2.com' - start obtaining
acme-mailcow-1  | 2024-02-07T03:27:14.844098568Z Wed Feb  7 03:27:14 UTC 2024 - Checking resolver...
acme-mailcow-1  | 2024-02-07T03:27:14.873759357Z Wed Feb  7 03:27:14 UTC 2024 - Resolver OK
acme-mailcow-1  | 2024-02-07T03:27:14.878097085Z Wed Feb  7 03:27:14 UTC 2024 - Using command acme-tiny   --account-key /var/lib/acme/acme/account.pem --disable-check --csr /var/lib/acme/server.example.com/acme.csr --acme-dir /var/www/acme/
acme-mailcow-1  | 2024-02-07T03:27:14.946208710Z Parsing account key...
acme-mailcow-1  | 2024-02-07T03:27:14.957922986Z Parsing CSR...
acme-mailcow-1  | 2024-02-07T03:27:14.962523256Z Found domains: mail.example2.com, server.example.com
acme-mailcow-1  | 2024-02-07T03:27:14.962538109Z Getting directory...
acme-mailcow-1  | 2024-02-07T03:27:16.918159332Z Directory found!
acme-mailcow-1  | 2024-02-07T03:27:16.918186514Z Registering account...
acme-mailcow-1  | 2024-02-07T03:27:17.793018500Z Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/1557618027
acme-mailcow-1  | 2024-02-07T03:27:17.793037652Z Creating new order...
acme-mailcow-1  | 2024-02-07T03:27:18.877531632Z Order created!
acme-mailcow-1  | 2024-02-07T03:27:19.758138508Z Verifying server.example.com...
acme-mailcow-1  | 2024-02-07T03:27:21.738304297Z Traceback (most recent call last):
acme-mailcow-1  | 2024-02-07T03:27:21.738323959Z   File "/usr/bin/acme-tiny", line 8, in <module>
acme-mailcow-1  | 2024-02-07T03:27:21.738328438Z     sys.exit(main())
acme-mailcow-1  | 2024-02-07T03:27:21.738331769Z              ^^^^^^
acme-mailcow-1  | 2024-02-07T03:27:21.738335233Z   File "/usr/lib/python3.11/site-packages/acme_tiny.py", line 195, in main
acme-mailcow-1  | 2024-02-07T03:27:21.738490336Z     signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
acme-mailcow-1  | 2024-02-07T03:27:21.738499834Z                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
acme-mailcow-1  | 2024-02-07T03:27:21.738504082Z   File "/usr/lib/python3.11/site-packages/acme_tiny.py", line 153, in get_crt
acme-mailcow-1  | 2024-02-07T03:27:21.738608789Z     raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
acme-mailcow-1  | 2024-02-07T03:27:21.738638938Z ValueError: Challenge did not pass for server.example.com: {'identifier': {'type': 'dns', 'value': 'server.example.com'}, 'status': 'invalid', 'expires': '2024-02-14T03:08:37Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': '94.130.***.***: Invalid response from http://server.example.com/.well-known/acme-challenge/tX_UNOZ6brUp85eWIMcnhKINsFH5IT4YPOBCaFC2A1I: 404', 'status': 403}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/312465848987/kHsWuw', 'token': 'tX_UNOZ6brUp85eWIMcnhKINsFH5IT4YPOBCaFC2A1I', 'validationRecord': [{'url': 'http://server.example.com/.well-known/acme-challenge/tX_UNOZ6brUp85eWIMcnhKINsFH5IT4YPOBCaFC2A1I', 'hostname': 'server.example.com', 'port': '80', 'addressesResolved': ['94.130.***.***'], 'addressUsed': '94.130.***.***'}], 'validated': '2024-02-07T03:27:20Z'}]}
acme-mailcow-1  | 2024-02-07T03:27:21.755974385Z Wed Feb  7 03:27:21 UTC 2024 - Failed to obtain certificate /var/lib/acme/server.example.com/cert.pem for domains 'server.example.com mail.example2.com'
acme-mailcow-1  | 2024-02-07T03:27:21.761401450Z OK
acme-mailcow-1  | 2024-02-07T03:27:21.762587411Z Wed Feb  7 03:27:21 UTC 2024 - Some errors occurred, retrying in 30 minutes...
acme-mailcow-1  | 2024-02-07T03:27:21.768055481Z OK

Steps to reproduce:

Install mailcow and try to install ssl certificate.
Trying to connect via Gmail App through imap it says connection is not secure, certificate not trusted.

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Ubuntu 22.04 LTS

Server/VM specifications:

8

Is Apparmor, SELinux or similar active?

?

Virtualization technology:

KVM

Docker version:

25.0.3

docker-compose version or docker compose version:

2.24.5

mailcow version:

2024-01d

Reverse proxy:

No

Logs of git diff:

Logs of iptables -L -vn:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
54330   11M MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
98831   29M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
98831   29M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
72546   22M ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 6678  423K DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
19419 6382K ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
 6591  419K ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0
  190 77906 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
  153 41474 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:8983
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.6           tcp dpt:3306
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    2   120 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
    9   540 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    3   180 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    6   360 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    1    40 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
   47  2460 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
    6   328 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:443
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
19419 6382K DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
  153 41474 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
 307K  319M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
76164   16M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 307K  319M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MAILCOW (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */

Logs of ip6tables -L -vn:

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  283 15028 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 8284  609K MASQUERADE  all  --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0
   16  1018 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.5           172.22.1.5           tcp dpt:8983
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.6           172.22.1.6           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.8           172.22.1.8           tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.8           172.22.1.8           tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  br-mailcow *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.5:8983
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.6:3306
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    2   120 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
    9   540 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
    3   180 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
    6   360 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
    1    40 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
   47  2460 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
    6   328 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.8:443
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.8:80

Logs of ip6tables -L -vn -t nat:

DNS check:

The text was updated successfully, but these errors were encountered:

milkmaker · 2024-02-09T07:19:23Z

THIS IS A AUTOMATED MESSAGE!

It seems your issue is not a bug.
Therefore we highly advise you to get support!

You can get support either by:

ordering a paid support contract at Servercow (Directly from the developers) or
using the community forum (Based on volunteers! NO guaranteed answer) or
using the Telegram support channel (Based on volunteers! NO guaranteed answer)

This issue will be closed. If you think your reported issue is not a support case feel free to comment above and if so the issue will reopened.

unick4759 · 2025-02-12T08:58:10Z

i also meet ssl problem,but i am according to the mailcow start doc . the most important is it work ok at the first installation and then occur wrong after intall mailcow again.

eakteam added the bug label Feb 7, 2024

DerLinkman added support please consider asking at https://community.mailcow.email/ or https://t.me/mailcow and removed bug support please consider asking at https://community.mailcow.email/ or https://t.me/mailcow labels Feb 7, 2024

milkmaker closed this as not planned Won't fix, can't repro, duplicate, stale Feb 9, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cannot generate certificate for the mail server and domains #5710

Cannot generate certificate for the mail server and domains #5710

eakteam commented Feb 7, 2024

milkmaker commented Feb 9, 2024

unick4759 commented Feb 12, 2025

Cannot generate certificate for the mail server and domains #5710

Cannot generate certificate for the mail server and domains #5710

Comments

eakteam commented Feb 7, 2024

Contribution guidelines

I've found a bug and checked that ...

Description

Logs:

Steps to reproduce:

Which branch are you using?

Which architecture are you using?

Operating System:

Server/VM specifications:

Is Apparmor, SELinux or similar active?

Virtualization technology:

Docker version:

docker-compose version or docker compose version:

mailcow version:

Reverse proxy:

Logs of git diff:

Logs of iptables -L -vn:

Logs of ip6tables -L -vn:

Logs of iptables -L -vn -t nat:

Logs of ip6tables -L -vn -t nat:

DNS check:

milkmaker commented Feb 9, 2024

unick4759 commented Feb 12, 2025