Let's Encrypt issue when using Alternative names
Hi, I have just installed poste.io and configured everything correctly according to poste.io nice documentation. I have a mail.my.dom A record and 2 cname records (imap.my.domain and smtp.my.domain) and all these records point to my poste.io container.
1) When i issue the Let's Encrypt certificate with Common name : mail.my.dom Alternative names : empty =>I get the certificate 2) When i issue the Let's Encrypt certificate with Common name : mail.my.dom Alternative names : smtp.my.domain and imap.my.domain (one by line) => the process stop without error after trying the challenge the first common name (smtp.my.dom in my case)
Here is the logfile : [2019-04-15 17:39:29] LEScript.INFO: Account already registered. Continuing. [2019-04-15 17:39:29] LEScript.INFO: Starting certificate generation process for domains [2019-04-15 17:39:29] LEScript.INFO: Requesting challenge for mail.my.dom [2019-04-15 17:39:29] LEScript.INFO: Sending signed request to /acme/new-authz [2019-04-15 17:39:30] LEScript.INFO: Got challenge token for mail.my.dom [2019-04-15 17:39:30] LEScript.INFO: Token for mail.my.dom saved at /opt/www//.well-known/acme-challenge/YXwiv9t2FK93lKDxFb3qfqRugkbCYIH8xDbJxulRA5A and should be available at http://mail.my.dom/.well-known/acme-challenge/YXwiv9t2FK93lKDxFb3qfqRugkbCYIH8xDbJxulRA5A [2019-04-15 17:39:30] LEScript.INFO: Sending request to challenge [2019-04-15 17:39:30] LEScript.INFO: Sending signed request to https://acme-v01.api.letsencrypt.org/acme/challenge/aqgI19S_YEvvp15cz9cKrVNrZScxp8dARqcgQQTIMZU/14800774255 [2019-04-15 17:39:31] LEScript.INFO: Verification ended with status: valid [2019-04-15 17:39:31] LEScript.INFO: Requesting challenge for smtp..my.dom [2019-04-15 17:39:31] LEScript.INFO: Sending signed request to /acme/new-authz [2019-04-15 17:39:32] LEScript.INFO: Got challenge token for smtp..my.dom [2019-04-15 17:39:32] LEScript.INFO: Token for smtp.my.dom saved at /opt/www//.well-known/acme-challenge/iFEmpkv1TihhDNt8RJ9WJvTo29gQtkozgpZ_fqhpZ8Q and should be available at http://smtp.my.dom/.well-known/acme-challenge/iFEmpkv1TihhDNt8RJ9WJvTo29gQtkozgpZ_fqhpZ8Q
I am sure my reverse proxy is configured correctly because from many location i am able to grab http://smtp.my.dom/.well-known/acme-challenge/iFEmpkv1TihhDNt8RJ9WJvTo29gQtkozgpZ_fqhpZ8Q
Any idea?
Thanks in advance.
Best regards,
Comments (5)
-
-
Hi, What’s wrong with my issue? It isn’t interesting enough for taking the time to answer it? I don’t need help for debugging the let’s Encrypt issue i described, i simply need to know if in the current version of poste.io, acme client is able to get let’s Encrypt certificates with alternate names or not... in my opinion, that’s a simple question.
Best Regards
-
repo owner Try to test https://<your-server>/admin/server/connection at first
Than check if your firewall is not blocking LE connections
-
Hi SH, first thank you to answer to my issue.
To give more information on my setup, i use traefik as reverse proxy for poste.io. I have been inspired by https://bitbucket.org/analogic/mailserver/issues/374/how-to-use-le-certs-produced-by-trafficio for the docker-compose.yml Traefik listen on port 80 and 443.
What i do is the following
-
Traefik generate a wildcard certificate for my domain.tld and (dns challenge) i use it to connect poste.io that listen on port 80, i have specific label that allow me (based on fqdn) to access the webmail or the admin interface.
-
I use some specific traefik labels to redirect anything to *.mydomain.tld/.well-know/ port 80 to port 80 of the poste.io container to allow poste.io generate the appropriate certificate with its own acme client (http challenge)
- As i said previously (first post), poste.io is able to handle the certificate for mail.mydomain.tld with its own ACME client but when i add alternate names (imap.my.domain and smtp.my.domain) it stop without error
[2019-04-15 17:39:32] LEScript.INFO: Token for smtp.my.dom saved at /opt/www//.well-known/acme-challenge/iFEmpkv1TihhDNt8RJ9WJvTo29gQtkozgpZ_fqhpZ8Q and should be available at http://smtp.my.dom/.well-known/acme-challenge/iFEmpkv1TihhDNt8RJ9WJvTo29gQtkozgpZ_fqhpZ8Q
and not go further, then i receive an email in the admin mailgox telling that there is an error (same as the output of "Let's Encrypt" your mailserver section)
Here is my docker-compose for poste.io :
version: "3" services: poste.io: image: analogic/poste.io container_name: poste.io hostname: mail.mydomain.tld volumes: - /lab/docker-host-volumes/poste.io/data:/data - /etc/localtime:/etc/localtime:ro networks: - traefik ports: - '25:25' # SMTP - mostly processing incoming mails #- '8181:80' # HTTP - redirect to https (see options) and authentication for Let's encrypt service #- '110:110' # POP3 - standard protocol for accessing mailbox, STARTTLS is required before client auth #- '143:143' # IMAP - standard protocol for accessing mailbox, STARTTLS is required before client auth #- '4443:443' # HTTPS - access to administration or webmail client - '587:587' # MSA - SMTP port used primarily for email clients after STARTTLS and auth - '993:993' # IMAPS - alternative port for IMAP encrypted since connection #- '995:995' # POP3S - encrypted POP3 since connections environment: - HOSTNAME=mail.mydomain.tld - HTTPS=OFF - DISABLE_CLAMAV=TRUE - LETSENCRYPT_EMAIL=postmaster@mydomain.tld - LETSENCRYPT_HOST=mail.mydomain.tld - VIRTUAL_HOST=mail.mydomain.tld restart: always labels: - "traefik.posteioacme.backend.posteioacme" - "traefik.posteioacme.frontend.rule=HostRegexp:mydomain.tld,{subdomain:[a-z]*}.mydomain.tld;PathPrefix:/.well-known/" - "traefik.posteioacme.port=80" - "traefik.posteioacme.protocol=http" - "traefik.posteioacme.frontend.entryPoints=http" - "traefik.webmail.backend=webmail" - "traefik.webmail.frontend.rule=Host:webmail.mydomain.tld" - "traefik.webmail.frontend.redirect.regex=webmail.mydomain.tld/admin" - "traefik.webmail.frontend.redirect.replacement=webmail.mydomain.tld/webmail" - "traefik.webmail.port=80" - "traefik.webmail.frontend.headers.SSLRedirect=true" - "traefik.admin.backend=posteio" - "traefik.admin.frontend.rule=Host:posteio.mydomain.tld" - "traefik.admin.frontend.redirect.regex=posteio.mydomain.tld/webmail" - "traefik.admin.frontend.redirect.replacement=posteio.mydomain.tld/admin/" - "traefik.admin.frontend.whiteList.sourceRange=xxxxxxxxxxxxxxxxxxxxxxxxxxx" - "traefik.admin.port=80" - "traefik.admin.frontend.headers.SSLRedirect=true" - "traefik.enable=true" networks: traefik: external: name: traefik-net
With this setup : * i can connect to webmail and admin * poste.io acme integrated client is able to handle a certificate for mail.mydomain.tld * poste.io acme integrated client is not able to handle a certificate for imap.mydomain.tld and smtp.mydomain.tld * everyting work correctly : i can use smtps and imaps from anywhere but i cannot use the specific alias i have created in my public dns zone for imap and smtp otherwise i have certificate error for smtp.mydomain.tld and imap.mydomain.tld
Your suggestion :
- I can't see anything in my firewall logs that show LE connection blocked. As i sais i my first poste, when poste.io acme integrated client generate the token for smtp.mydomain.tld (i repeat, this is an alternate name) i can access it from anywhere on earth (i have tried from my hp, my company and so on) so i can conclude traefik perfectly handle the by-pass to poste.io acme integrated client (http challenge)
- on the other hand the Server connection diagnostics has always shown red alert :
intermediate remark
- in the context of traefik generating certificates with dns challenge, this docker-compose for poste.io could be included in your documentation if you wish.
- traefik gets really popular theses days.........
- when traefik 2.0 will be released, i will update this docker-compose and i guess that it will be more easy to handle theses cases where containers must use their internal acme client.
Back to the original issue :
- SH, what do you think about my issue (acme client process stop without any valid reason, my server connection diagnostic)?
Thank you very much for your help
Best regards,
-
-
Today i’ve got an email from Poste.io container after let’s encrypt failure (before the process stop without any alert from poste.io) to add the first alternate name “smtp.mydomain.tld” :
06:26:06 ERROR [app] Please check http://smtp.mydomain.tld/.well-known/acme-challenge/eiUTi6IQD5wH9nks2biCBHST_fFboXO2IzW--jgJgM0 - token not available 06:26:06 ERROR [app] #0 /opt/admin/src/AppBundle/Handler/LeHandler.php(61): Analogic\ACME\Lescript->signDomains(Array) 06:26:06 ERROR [app] #1 /opt/admin/src/AppBundle/CommandInternal/RenewCommand.php(30): AppBundle\Handler\LeHandler->renew() 06:26:06 ERROR [app] #2 /opt/admin/vendor/symfony/symfony/src/Symfony/Component/Console/Command/Command.php(255): AppBundle\CommandInternal\RenewCommand->execute(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput)) 06:26:06 ERROR [app] #3 /opt/admin/vendor/symfony/symfony/src/Symfony/Component/Console/Application.php(978): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput)) 06:26:06 ERROR [app] #4 /opt/admin/vendor/symfony/symfony/src/Symfony/Component/Console/Application.php(255): Symfony\Component\Console\Application->doRunCommand(Object(AppBundle\CommandInternal\RenewCommand), Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput)) 06:26:06 ERROR [app] #5 /opt/admin/src/AppBundle/CommandInternal/Application.php(79): Symfony\Component\Console\Application->doRun(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput)) 06:26:06 ERROR [app] #6 /opt/admin/vendor/symfony/symfony/src/Symfony/Component/Console/Application.php(148): AppBundle\CommandInternal\Application->doRun(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput)) 06:26:06 ERROR [app] #7 /opt/admin/bin/mailserver(16): Symfony\Component\Console\Application->run(Object(Symfony\Component\Console\Input\ArgvInput)) 06:26:06 ERROR [app] #8 {main}
Maybe theses informations are helpful to diagnose the issue….
Best regards,
- Log in to comment
Hi again, can anyone confirm that poste.io acme client is able to get Let's Encrypt certificates with Alternate Names?
Thanks in advance.
Best regards.
Best regards