1. SH Avatar SH
  2. Untitled project
  3. MailServer
  4. Issues

Let's Encrypt issue when using Alternative names

Issue #636 new
Former user created an issue

Hi, I have just installed poste.io and configured everything correctly according to poste.io nice documentation. I have a mail.my.dom A record and 2 cname records (imap.my.domain and smtp.my.domain) and all these records point to my poste.io container.

1) When i issue the Let's Encrypt certificate with Common name : mail.my.dom Alternative names : empty =>I get the certificate 2) When i issue the Let's Encrypt certificate with Common name : mail.my.dom Alternative names : smtp.my.domain and imap.my.domain (one by line) => the process stop without error after trying the challenge the first common name (smtp.my.dom in my case)

Here is the logfile : [2019-04-15 17:39:29] LEScript.INFO: Account already registered. Continuing. [2019-04-15 17:39:29] LEScript.INFO: Starting certificate generation process for domains [2019-04-15 17:39:29] LEScript.INFO: Requesting challenge for mail.my.dom [2019-04-15 17:39:29] LEScript.INFO: Sending signed request to /acme/new-authz [2019-04-15 17:39:30] LEScript.INFO: Got challenge token for mail.my.dom [2019-04-15 17:39:30] LEScript.INFO: Token for mail.my.dom saved at /opt/www//.well-known/acme-challenge/YXwiv9t2FK93lKDxFb3qfqRugkbCYIH8xDbJxulRA5A and should be available at http://mail.my.dom/.well-known/acme-challenge/YXwiv9t2FK93lKDxFb3qfqRugkbCYIH8xDbJxulRA5A [2019-04-15 17:39:30] LEScript.INFO: Sending request to challenge [2019-04-15 17:39:30] LEScript.INFO: Sending signed request to https://acme-v01.api.letsencrypt.org/acme/challenge/aqgI19S_YEvvp15cz9cKrVNrZScxp8dARqcgQQTIMZU/14800774255 [2019-04-15 17:39:31] LEScript.INFO: Verification ended with status: valid [2019-04-15 17:39:31] LEScript.INFO: Requesting challenge for smtp..my.dom [2019-04-15 17:39:31] LEScript.INFO: Sending signed request to /acme/new-authz [2019-04-15 17:39:32] LEScript.INFO: Got challenge token for smtp..my.dom [2019-04-15 17:39:32] LEScript.INFO: Token for smtp.my.dom saved at /opt/www//.well-known/acme-challenge/iFEmpkv1TihhDNt8RJ9WJvTo29gQtkozgpZ_fqhpZ8Q and should be available at http://smtp.my.dom/.well-known/acme-challenge/iFEmpkv1TihhDNt8RJ9WJvTo29gQtkozgpZ_fqhpZ8Q

I am sure my reverse proxy is configured correctly because from many location i am able to grab http://smtp.my.dom/.well-known/acme-challenge/iFEmpkv1TihhDNt8RJ9WJvTo29gQtkozgpZ_fqhpZ8Q

Any idea?

Thanks in advance.

Best regards,

Comments (5)

  1. nat rium

    Hi again, can anyone confirm that poste.io acme client is able to get Let's Encrypt certificates with Alternate Names?

    Thanks in advance.

    Best regards.

    Best regards

  2. nat rium

    Hi, What’s wrong with my issue? It isn’t interesting enough for taking the time to answer it? I don’t need help for debugging the let’s Encrypt issue i described, i simply need to know if in the current version of poste.io, acme client is able to get let’s Encrypt certificates with alternate names or not... in my opinion, that’s a simple question.

    Best Regards

  3. SH repo owner

    Try to test https://<your-server>/admin/server/connection at first

    Than check if your firewall is not blocking LE connections

  4. nat rium

    Hi SH, first thank you to answer to my issue.

    To give more information on my setup, i use traefik as reverse proxy for poste.io. I have been inspired by https://bitbucket.org/analogic/mailserver/issues/374/how-to-use-le-certs-produced-by-trafficio for the docker-compose.yml Traefik listen on port 80 and 443.

    What i do is the following

    • Traefik generate a wildcard certificate for my domain.tld and (dns challenge) i use it to connect poste.io that listen on port 80, i have specific label that allow me (based on fqdn) to access the webmail or the admin interface.

    • I use some specific traefik labels to redirect anything to *.mydomain.tld/.well-know/ port 80 to port 80 of the poste.io container to allow poste.io generate the appropriate certificate with its own acme client (http challenge)

    • As i said previously (first post), poste.io is able to handle the certificate for mail.mydomain.tld with its own ACME client but when i add alternate names (imap.my.domain and smtp.my.domain) it stop without error 
    [2019-04-15 17:39:32] LEScript.INFO: Token for smtp.my.dom saved at /opt/www//.well-known/acme-challenge/iFEmpkv1TihhDNt8RJ9WJvTo29gQtkozgpZ_fqhpZ8Q and should be available at http://smtp.my.dom/.well-known/acme-challenge/iFEmpkv1TihhDNt8RJ9WJvTo29gQtkozgpZ_fqhpZ8Q

    and not go further, then i receive an email in the admin mailgox telling that there is an error (same as the output of "Let's Encrypt" your mailserver section)

    Here is my docker-compose for poste.io : 

    version: "3"
services:
  poste.io:
    image: analogic/poste.io
    container_name: poste.io
    hostname: mail.mydomain.tld
    volumes:
      - /lab/docker-host-volumes/poste.io/data:/data
      - /etc/localtime:/etc/localtime:ro
    networks:
      - traefik
    ports:
        - '25:25'    # SMTP - mostly processing incoming mails
        #- '8181:80'  # HTTP - redirect to https (see options) and authentication for Let's encrypt service
        #- '110:110'  #  POP3 - standard protocol for accessing mailbox, STARTTLS is required before client auth
        #- '143:143'  #  IMAP - standard protocol for accessing mailbox, STARTTLS is required before client auth
        #- '4443:443'  #  HTTPS - access to administration or webmail client
        - '587:587'  #  MSA - SMTP port used primarily for email clients after STARTTLS and auth
        - '993:993'  #  IMAPS - alternative port for IMAP encrypted since connection
        #- '995:995'  #  POP3S - encrypted POP3 since connections
    environment:
        - HOSTNAME=mail.mydomain.tld
        - HTTPS=OFF
        - DISABLE_CLAMAV=TRUE
        - LETSENCRYPT_EMAIL=postmaster@mydomain.tld
        - LETSENCRYPT_HOST=mail.mydomain.tld
        - VIRTUAL_HOST=mail.mydomain.tld
    restart: always
    labels:
      - "traefik.posteioacme.backend.posteioacme"
      - "traefik.posteioacme.frontend.rule=HostRegexp:mydomain.tld,{subdomain:[a-z]*}.mydomain.tld;PathPrefix:/.well-known/"
      - "traefik.posteioacme.port=80"
      - "traefik.posteioacme.protocol=http"
      - "traefik.posteioacme.frontend.entryPoints=http"
      - "traefik.webmail.backend=webmail"
      - "traefik.webmail.frontend.rule=Host:webmail.mydomain.tld"
      - "traefik.webmail.frontend.redirect.regex=webmail.mydomain.tld/admin"
      - "traefik.webmail.frontend.redirect.replacement=webmail.mydomain.tld/webmail"
      - "traefik.webmail.port=80"
      - "traefik.webmail.frontend.headers.SSLRedirect=true"
      - "traefik.admin.backend=posteio"
      - "traefik.admin.frontend.rule=Host:posteio.mydomain.tld"
      - "traefik.admin.frontend.redirect.regex=posteio.mydomain.tld/webmail"
      - "traefik.admin.frontend.redirect.replacement=posteio.mydomain.tld/admin/"
      - "traefik.admin.frontend.whiteList.sourceRange=xxxxxxxxxxxxxxxxxxxxxxxxxxx"
      - "traefik.admin.port=80"
      - "traefik.admin.frontend.headers.SSLRedirect=true"
      - "traefik.enable=true"

networks:
    traefik:
      external:
        name: traefik-net

    With this setup : * i can connect to webmail and admin * poste.io acme integrated client is able to handle a certificate for mail.mydomain.tld * poste.io acme integrated client is not able to handle a certificate for imap.mydomain.tld and smtp.mydomain.tld * everyting work correctly : i can use smtps and imaps from anywhere but i cannot use the specific alias i have created in my public dns zone for imap and smtp otherwise i have certificate error for smtp.mydomain.tld and imap.mydomain.tld

    Your suggestion :

    • I can't see anything in my firewall logs that show LE connection blocked. As i sais i my first poste, when poste.io acme integrated client generate the token for smtp.mydomain.tld (i repeat, this is an alternate name) i can access it from anywhere on earth (i have tried from my hp, my company and so on) so i can conclude traefik perfectly handle the by-pass to poste.io acme integrated client (http challenge)
    • on the other hand the Server connection diagnostics has always shown red alert :

    Server connection diagnostics.jpg

    intermediate remark

    • in the context of traefik generating certificates with dns challenge, this docker-compose for poste.io could be included in your documentation if you wish.
    • traefik gets really popular theses days.........
    • when traefik 2.0 will be released, i will update this docker-compose and i guess that it will be more easy to handle theses cases where containers must use their internal acme client.

    Back to the original issue :

    • SH, what do you think about my issue (acme client process stop without any valid reason, my server connection diagnostic)?

    Thank you very much for your help

    Best regards,

  5. nat rium

    Today i’ve got an email from Poste.io container after let’s encrypt failure (before the process stop without any alert from poste.io) to add the first alternate name “smtp.mydomain.tld” :

    06:26:06 ERROR     [app] Please check http://smtp.mydomain.tld/.well-known/acme-challenge/eiUTi6IQD5wH9nks2biCBHST_fFboXO2IzW--jgJgM0 - token not available
06:26:06 ERROR     [app] #0 /opt/admin/src/AppBundle/Handler/LeHandler.php(61): Analogic\ACME\Lescript->signDomains(Array)
06:26:06 ERROR     [app] #1 /opt/admin/src/AppBundle/CommandInternal/RenewCommand.php(30): AppBundle\Handler\LeHandler->renew()
06:26:06 ERROR     [app] #2 /opt/admin/vendor/symfony/symfony/src/Symfony/Component/Console/Command/Command.php(255): AppBundle\CommandInternal\RenewCommand->execute(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
06:26:06 ERROR     [app] #3 /opt/admin/vendor/symfony/symfony/src/Symfony/Component/Console/Application.php(978): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
06:26:06 ERROR     [app] #4 /opt/admin/vendor/symfony/symfony/src/Symfony/Component/Console/Application.php(255): Symfony\Component\Console\Application->doRunCommand(Object(AppBundle\CommandInternal\RenewCommand), Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
06:26:06 ERROR     [app] #5 /opt/admin/src/AppBundle/CommandInternal/Application.php(79): Symfony\Component\Console\Application->doRun(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
06:26:06 ERROR     [app] #6 /opt/admin/vendor/symfony/symfony/src/Symfony/Component/Console/Application.php(148): AppBundle\CommandInternal\Application->doRun(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
06:26:06 ERROR     [app] #7 /opt/admin/bin/mailserver(16): Symfony\Component\Console\Application->run(Object(Symfony\Component\Console\Input\ArgvInput))
06:26:06 ERROR     [app] #8 {main}

    Maybe theses informations are helpful to diagnose the issue….

    Best regards,

  6. Log in to comment
Assignee
Type
bug
Priority
major
Status
new
Votes
1
Watchers
None
Jira: the preferred issue tracker for Bitbucket. Join the team!