http validation failure while using custom site template

[igregma]

I'm using a site configured as ADDITIONAL SAN with the custom nginx template mentioned here: https://mailcow.github.io/mailcow-dockerized-docs/u_e-nginx/

My problem, because of the http redirect block (which I want to use) location / { return 301 https://$host$uri$is_args$args; } }

the HTTP validation for Let's encrypt always fail ("Confirmed A record with IP X.X.X.X, but HTTP validation failed"). Removing the redirect - instant success. Any idea how to fix this?

[andryyy]

Hey, please don't skip the issue template.

Check mailcow.conf for ADDITIONAL_SERVER_NAMES and add the additional SAN there.

[igregma]

My mistake, you're right with the template - sorry :-(

Your idea does not change anything, still validation failure. Think the redirect to https works before anything else, so no chance to validate http?

[andryyy]

Did you run up -d after changing the file?

[andryyy]

Oh and please also run docker-compose restart acme-mailcow. Do you have a reverse proxy in front of your mailcow?

[igregma]

yes, did everything.. up -d, restart nginx and acme :-/ No, no proxy. Configured are 4 domains (with subdomains), all working like charme. Just the one I want to use with own nginx config / own root is the troublemaker.

[andryyy]

Can you post the config? 🙂

Am Freitag, dem 26.11.2021 um 14:18 -0800 schrieb igregma:

yes, did everything.. up -d, restart nginx and acme :-/

No, no proxy.

Configured are 4 domains (with subdomains), all working like charme. Just the one I want to use with own nginx config / own root is the troublemaker.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[igregma]

`
# Additional SAN for the certificate
#
# You can use wildcard records to create specific names for every domain you add to mailcow.
# Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
#ADDITIONAL_SAN=imap.*,smtp.*
# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "imap.example.net"
# plus every domain you add in the future.
#
# You can also just add static names...
#ADDITIONAL_SAN=srv1.example.net
# ...or combine wildcard and static names:
#ADDITIONAL_SAN=imap.*,srv1.example.com
#

ADDITIONAL_SAN=www.*,autoconfig.*,autodiscover.*,webmail.MYDOMAIN1.net,MYDOMAIN2.de,MYDOMAIN1.net

# Additional server names for mailcow UI
#
# Specify alternative addresses for the mailcow UI to respond to
# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
# You can understand this as server_name directive in Nginx.
# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f

ADDITIONAL_SERVER_NAMES=webmail.MYDOMAIN1.net,MYDOMAIN1.com,www.MYDOMAIN1.com

# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n

SKIP_LETS_ENCRYPT=n

# Create seperate certificates for all domains - y/n
# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
# see https://wiki.dovecot.org/SSL/SNIClientSupport
ENABLE_SSL_SNI=n

# Skip IPv4 check in ACME container - y/n

SKIP_IP_CHECK=n

# Skip HTTP verification in ACME container - y/n

SKIP_HTTP_VERIFICATION=n

`

[andryyy]

Oh, sorry. I mean the Nginx site you added.

Can you check the current docs for the HTTPS redirect, too? Make sure you aren’t using an older version of that redirect config. Any other sites or modifications on mailcows Nginx?

Am 26.11.2021 um 23:41 schrieb igregma @.***>:

 `# ------------------------------

mailcow web ui configuration

---

example.org is not a valid hostname, use a fqdn here.

Default admin user is "admin"

Default password is "moohoo"

MAILCOW_HOSTNAME=mail.MYDOMAIN1.net

Password hash algorithm

Only certain password hash algorithm are supported. For a fully list of supported schemes,

see https://mailcow.github.io/mailcow-dockerized-docs/model-passwd/

MAILCOW_PASS_SCHEME=BLF-CRYPT

---

SQL database configuration

---

DBNAME=mailcow DBUSER=mailcow

Please use long, random alphanumeric strings (A-Za-z0-9)

DBPASS=aaa DBROOT=bbb

---

HTTP/S Bindings

---

You should use HTTPS, but in case of SSL offloaded reverse proxies:

Might be important: This will also change the binding within the container.

If you use a proxy within Docker, point it to the ports you set below.

Do not use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT

IMPORTANT: Do not use port 8081, 9081 or 65510!

Example: HTTP_BIND=1.2.3.4

For IPv4 and IPv6 leave it empty: HTTP_BIND= & HTTPS_PORT=

For IPv6 see https://mailcow.github.io/mailcow-dockerized-docs/firststeps-ip_bindings/

HTTP_PORT=80 HTTP_BIND=

HTTPS_PORT=443 HTTPS_BIND=

---

Other bindings

---

You should leave that alone

Format: 11.22.33.44:25 or 12.34.56.78:465 etc.

SMTP_PORT=25 SMTPS_PORT=465 SUBMISSION_PORT=587 IMAP_PORT=143 IMAPS_PORT=993 POP_PORT=110 POPS_PORT=995 SIEVE_PORT=4190 DOVEADM_PORT=127.0.0.1:19991 SQL_PORT=127.0.0.1:13306 SOLR_PORT=127.0.0.1:18983 REDIS_PORT=127.0.0.1:7654

Your timezone

See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones

Use the row named 'TZ database name' + pay attention for 'Notes' row

TZ=Europe/Berlin

Fixed project name

Please use lowercase letters only

COMPOSE_PROJECT_NAME=mailcowdockerized

Set this to "allow" to enable the anyone pseudo user. Disabled by default.

When enabled, ACL can be created, that apply to "All authenticated users"

This should probably only be activated on mail hosts, that are used exclusivly by one organisation.

Otherwise a user might share data with too many other users.

ACL_ANYONE=disallow

Garbage collector cleanup

Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring

How long should objects remain in the garbage until they are being deleted? (value in minutes)

Check interval is hourly

MAILDIR_GC_TIME=7200

Additional SAN for the certificate

You can use wildcard records to create specific names for every domain you add to mailcow.

Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:

ADDITIONAL_SAN=imap.,smtp.

This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "imap.example.net"

plus every domain you add in the future.

You can also just add static names...

ADDITIONAL_SAN=srv1.example.net

...or combine wildcard and static names:

ADDITIONAL_SAN=imap.*,srv1.example.com

ADDITIONAL_SAN=www.,autoconfig.,autodiscover.*,webmail.MYDOMAIN1.net,MYDOMAIN2.de,MYDOMAIN1.net

Additional server names for mailcow UI

Specify alternative addresses for the mailcow UI to respond to

This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.

If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.

You can understand this as server_name directive in Nginx.

Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f

ADDITIONAL_SERVER_NAMES=webmail.MYDOMAIN1.net,MYDOMAIN1.com,www.MYDOMAIN1.com

Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n

SKIP_LETS_ENCRYPT=n

Create seperate certificates for all domains - y/n

this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames

see https://wiki.dovecot.org/SSL/SNIClientSupport

ENABLE_SSL_SNI=n

Skip IPv4 check in ACME container - y/n

SKIP_IP_CHECK=n

Skip HTTP verification in ACME container - y/n

SKIP_HTTP_VERIFICATION=n

Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n

SKIP_CLAMD=n

Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n

SKIP_SOGO=n

Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.

SKIP_SOLR=n

Solr heap size in MB, there is no recommendation, please see Solr docs.

Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.

SOLR_HEAP=1024

Allow admins to log into SOGo as email user (without any password)

ALLOW_ADMIN_EMAIL_LOGIN=y

Enable watchdog (watchdog-mailcow) to restart unhealthy containers

USE_WATCHDOG=y

Send watchdog notifications by mail (sent from @.***_HOSTNAME)

CAUTION:

1. You should use external recipients

2. Mails are sent unsigned (no DKIM)

3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)

Multiple rcpts allowed, NO quotation marks, NO spaces

@.**@*.**@*.***

WATCHDOG_NOTIFY_EMAIL=

Notify about banned IP (includes whois lookup)

WATCHDOG_NOTIFY_BAN=n

Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.

WATCHDOG_SUBJECT=

Checks if mailcow is an open relay. Requires a SAL. More checks will follow.

https://www.servercow.de/mailcow?lang=en

https://www.servercow.de/mailcow?lang=de

No data is collected. Opt-in and anonymous.

Will only work with unmodified mailcow setups.

WATCHDOG_EXTERNAL_CHECKS=n

Enable watchdog verbose logging

WATCHDOG_VERBOSE=n

Max log lines per service to keep in Redis logs

LOG_LINES=9999

Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)

Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses

IPV4_NETWORK=172.22.1

Internal IPv6 subnet in fc00::/7

Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses

IPV6_NETWORK=fd4d:6169:6c63:6f77::/64

Use this IPv4 for outgoing connections (SNAT)

SNAT_TO_SOURCE=

Use this IPv6 for outgoing connections (SNAT)

SNAT6_TO_SOURCE=

Create or override an API key for the web UI

You must define API_ALLOW_FROM, which is a comma separated list of IPs

An API key defined as API_KEY has read-write access

An API key defined as API_KEY_READ_ONLY has read-only access

Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -

You can define API_KEY and/or API_KEY_READ_ONLY

API_KEY=

API_KEY_READ_ONLY=

API_ALLOW_FROM=172.22.1.1,127.0.0.1

mail_home is ~/Maildir

MAILDIR_SUB=Maildir

SOGo session timeout in minutes

SOGO_EXPIRE_SESSION=480

DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.

Empty by default to auto-generate master user and password on start.

User expands to @.***

LEAVE EMPTY IF UNSURE

DOVECOT_MASTER_USER=

LEAVE EMPTY IF UNSURE

DOVECOT_MASTER_PASS=

Let's Encrypt registration contact information

Optional: Leave empty for none

This value is only used on first order!

Setting it at a later point will require the following steps:

https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/

ACME_CONTACT=

`

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[igregma]

Oh ok, here we go... think that is the right redir conf?!

server {
  ssl_certificate /etc/ssl/mail/cert.pem;
  ssl_certificate_key /etc/ssl/mail/key.pem;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
  ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 1d;
  ssl_session_tickets off;
  index index.php index.html;
  client_max_body_size 0;
  root /web/domain1;
  include /etc/nginx/conf.d/listen_plain.active;
  include /etc/nginx/conf.d/listen_ssl.active;
  server_name MYDOMAIN1.com www.MYDOMAIN1.com;
  server_tokens off;

  # This allows acme to be validated even with a different web root
  location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    rewrite /.well-known/acme-challenge/(.*) /$1 break;
    root /web/.well-known/acme-challenge/;
  }

  if ($scheme = http) {
    return 301 https://$server_name$request_uri;
  }
}

[igregma]

Testing a little bit... Without the https redirect for the custom site I get an 404 while testing with docker-compose exec acme-mailcow curl -4 http://MYDOMAIN1.com/.well-known/acme-challenge/1 --write-out %{http_code}

With the redirect it's a 301. Have no clue why... the nginx conf seems to be fine?!

Nginx Log shows the 301 for acme too:

nginx-mailcow_1 | 172.22.1.1 - - [28/Nov/2021:13:45:07 +0100] "GET /.well-known/acme-challenge/1584023223678 HTTP/1.1" 301 162 "-" "curl/7.79.1" "-"

[andryyy]

Can you try with „ root /web;“ instead of „ root /web/.well-known/acme-challenge/;“ in the location?

I am on mobile, cannot format it better.

[igregma]

Did not change anything, the custom site still gets an Redirect 301 for the acme dir :-(

172.22.1.1 - - [28/Nov/2021:14:39:33 +0100] "GET /.well-known/acme-challenge/166621389424339 HTTP/1.1" 301 162 "-" "curl/7.79.1" "-"

[igregma]

I debug the nginx config a little bit and was able to fix the problem! The trick is to wrap the https redirect with a "location" reference:

location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; rewrite /.well-known/acme-challenge/(.*) /$1 break; root /web/.well-known/acme-challenge/; } location / { root /web/xyz; if ($scheme = http) { return 301 https://$server_name$request_uri; } } }