ACME: Challenge did not pass

[romprod]

Prior to placing the issue, please check following: (fill out each checkbox with a X once done)

• [X] I understand that not following below instructions might result in immediate closing and deletion of my issue.
• [X] I have understood that answers are voluntary and community-driven, and not commercial support.
• [X] I have verified that my issue has not been already answered in the past. I also checked previous issues.

---

Description of the bug: What kind of issue have you exactly come across?

Unable to complete cert request which then loops after 30 minutes

Reproduction of said bug: How exactly do you reproduce the bug?

1. Start the acme-mailcow container
   • [X] In case of WebUI issue, I have tried clearing the browser cache and the issue persists.
   • [ ] I do run mailcow on a Synology, QNAP or any other sort of NAS.

System information

Tue Oct  1 17:42:28 BST 2019 - Waiting for Docker API...OK
Tue Oct  1 17:42:28 BST 2019 - Waiting for database... Uptime: 82992  Threads: 29  Questions: 163533  Slow queries: 0  Opens: 60  Flush tables: 1  Open tables: 52  Queries per second avg: 1.970
OK
Tue Oct  1 17:42:28 BST 2019 - Waiting for Nginx... OK
Tue Oct  1 17:42:28 BST 2019 - Waiting for domain table... OK
Tue Oct  1 17:42:28 BST 2019 - Initializing, please wait... 
Tue Oct  1 17:42:28 BST 2019 - Using existing domain key /var/lib/acme/acme/key.pem
Tue Oct  1 17:42:28 BST 2019 - Using existing Lets Encrypt account key /var/lib/acme/acme/account.pem
Tue Oct  1 17:42:28 BST 2019 - Detecting IP addresses... OK
Validated CAA for parent domain fred.it
Tue Oct  1 17:42:47 BST 2019 - Found A record for autodiscover.fred.it: 8.8.8.8
(skipping check, returning 0)
Tue Oct  1 17:42:47 BST 2019 - Confirmed A record 8.8.8.8, adding SAN
Tue Oct  1 17:42:47 BST 2019 - Found A record for autoconfig.fred.it: 8.8.8.8
(skipping check, returning 0)
Tue Oct  1 17:42:47 BST 2019 - Confirmed A record 8.8.8.8, adding SAN
Tue Oct  1 17:42:47 BST 2019 - Found A record for mail.fred.it: 8.8.8.8
(skipping check, returning 0)
Tue Oct  1 17:42:47 BST 2019 - Confirmed A record 8.8.8.8
Tue Oct  1 17:42:48 BST 2019 - Found new SAN autoconfig.fred.it autodiscover.fred.it
Tue Oct  1 17:42:48 BST 2019 - Creating backups in /var/lib/acme/backups/2019-10-01_17_42_48/ ...
Parsing account key...
Parsing CSR...
Found domains: autodiscover.fred.it, mail.fred.it, autoconfig.fred.it
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying autoconfig.fred.it...
Traceback (most recent call last):
  File "/usr/bin/acme-tiny", line 10, in <module>
    sys.exit(main())
  File "/usr/lib/python3.7/site-packages/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/lib/python3.7/site-packages/acme_tiny.py", line 149, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for autoconfig.fred.it: {'identifier': {'type': 'dns', 'value': 'autoconfig.fred.it'}, 'status': 'invalid', 'expires': '2019-10-08T16:32:17Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': 'Invalid response from http://autoconfig.fred.it/.well-known/acme-challenge/ejG-wVfy85jMG_do9Y-JVMin2oJT_nsP7Jybc-2P0IE [8.8.8.8]: 404', 'status': 403}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/587523149/Ul9K8Q', 'token': 'ejG-wVfy85jMG_do9Y-JVMin2oJT_nsP7Jybc-2P0IE', 'validationRecord': [{'url': 'http://autoconfig.fred.it/.well-known/acme-challenge/ejG-wVfy85jMG_do9Y-JVMin2oJT_nsP7Jybc-2P0IE', 'hostname': 'autoconfig.fred.it', 'port': '80', 'addressesResolved': ['8.8.8.8'], 'addressUsed': '8.8.8.8'}]}, {'type': 'dns-01', 'status': 'invalid', 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/587523149/zP849w', 'token': 'ejG-wVfy85jMG_do9Y-JVMin2oJT_nsP7Jybc-2P0IE'}, {'type': 'tls-alpn-01', 'status': 'invalid', 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/587523149/zsk52w', 'token': 'ejG-wVfy85jMG_do9Y-JVMin2oJT_nsP7Jybc-2P0IE'}]}
Tue Oct  1 17:42:55 BST 2019 - Retrying in 30 minutes...

I've tried each of the following settings but the HTTP validation always fails.

# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
SKIP_LETS_ENCRYPT=n
# Skip IPv4 check in ACME container - y/n
SKIP_IP_CHECK=n
# Skip HTTP verification in ACME container - y/n
SKIP_HTTP_VERIFICATION=n

Further information (where applicable):

Question	Answer
My operating system	Ubuntu 19.04
Is Apparmor, SELinux or similar active?	Don't think so
Virtualization technlogy (KVM, VMware, Xen, etc)	None
Server/VM specifications (Memory, CPU Cores)	8GB RAM, 3rd Gen Intel
Docker Version (docker version)	19.03.2
Docker-Compose Version (docker-compose version)	1.23.2, build 1110ad01
Reverse proxy (custom solution)	Traefik 2.0.1

I've changed the domain name and IP address of the above log

Traefik v2.0.1 is set to redirect http to https.

When I goto http://autoconfig.fred.it/.well-known/acme-challenge/ejG-wVfy85jMG_do9Y-JVMin2oJT_nsP7Jybc-2P0IE it redirects to https://autoconfig.fred.it/.well-known/acme-challenge/ejG-wVfy85jMG_do9Y-JVMin2oJT_nsP7Jybc-2P0IE and I can see the file correctly.

I understand the HTTP challenge is ok being redirected to HTTPS as per https://letsencrypt.org/docs/challenge-types/

This maybe the same issue as #2748 but I've checked the Nginx config and I don't have the extra section which has been fixed here #2736

I'm running the latest Mailcow version, which has just been updated this morning using the update script.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Open2Serve]

Up, I am a new user ( mailcow fan ), I have exactly the same problem

Fri Apr 9 07:30:03 CEST 2021 - Certificate /var/lib/acme/mail.jemail.be/cert.pem missing or changed domains 'mail.jemail.be' - start obtaining Fri Apr 9 07:30:03 CEST 2021 - Checking resolver... Fri Apr 9 07:30:03 CEST 2021 - Resolver OK Parsing account key... Parsing CSR... Found domains: mail.jemail.be Getting directory... Directory found! Registering account... Already registered! Creating new order... Order created! Verifying mail.jemail.be... Traceback (most recent call last): File "/usr/bin/acme-tiny", line 8, in sys.exit(main()) File "/usr/lib/python3.8/site-packages/acme_tiny.py", line 194, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact) File "/usr/lib/python3.8/site-packages/acme_tiny.py", line 149, in get_crt raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization)) ValueError: Challenge did not pass for mail.jemail.be: {'identifier': {'type': 'dns', 'value': 'mail.jemail.be'}, 'status': 'invalid', 'expires': '2021-04-16T05:30:07Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': 'Invalid response from http://mail.jemail.be/.well-known/acme-challenge/0yWIOTyMlkcuyAanSDOo40XeiXqOG3iB8n53_NfFLs8 [xxxx]: "\r\n\r\n\r\n

404 Not Found

\r\n

---

openresty</cente"', 'status': 403}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/12197037820/7J7iFA', 'token': '0yWIOTyMlkcuyAanSDOo40XeiXqOG3iB8n53_NfFLs8', 'validationRecord': [{'url': 'http://mail.jemail.be/.well-known/acme-challenge/0yWIOTyMlkcuyAanSDOo40XeiXqOG3iB8n53_NfFLs8', 'hostname': 'mail.jemail.be', 'port': '80', 'addressesResolved': ['xxxx'], 'addressUsed': 'xxxx'}], 'validated': '2021-04-09T05:30:09Z'}]} Fri Apr 9 07:30:11 CEST 2021 - Failed to obtain certificate /var/lib/acme/mail.jemail.be/cert.pem for domains 'mail.jemail.be' OK Fri Apr 9 07:30:11 CEST 2021 - Some errors occurred, retrying in 30 minutes...

[andryyy]

Hi, you have an openresty server in front of your mailcow that's not configured correctly. And also not supported by us. It can absolutely work, but we don't provide example configs.

[Open2Serve]

Can I still ask you a question? ( 2 ;) ) Maybe the reason is i've location / { redirect } to forward my client directly to SOGo ?

On Friday, April 09, 2021 07:58 CEST, André Peters @.***> wrote:     Hi, you have an openresty server in front of your mailcow that's not configured correctly. And also not supported by us. It can absolutely work, but we don't provide example configs. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

 

[andryyy]

I would love to help, but I have no glue. Isn't it basically Nginx? Excuse my ignorance. :-)