Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

SSL fails for all domains if a single domain fails LetsEncrypt challenge #2467

Closed
5 of 7 tasks
bluepuma77 opened this issue Oct 5, 2022 · 1 comment · Fixed by #2468
Closed
5 of 7 tasks

SSL fails for all domains if a single domain fails LetsEncrypt challenge #2467

bluepuma77 opened this issue Oct 5, 2022 · 1 comment · Fixed by #2468
Labels
priority/p1 (Critical) bug with workaround / Should have type/bug Bug. Not working as intended

Comments

@bluepuma77
Copy link

Before you open your issue

  • Check if no issue or pull-request for this already exists.
  • Check documentation and FAQ.
  • You understand Mailu is made by volunteers in their free time — be conscise, civil and accept that delays can occur.
  • The title of the issue should be short and simple.

Environment & Versions

Environment

  • docker compose
  • kubernetes
  • docker swarm

Versions

1.9

Description

I used mailu setup utility to create a docker-compose.yml with multiple email domains. Turns out not all domains were already pointing to the server IP, so some challenges failed. This leads to nginx closing port 443. So even the main domain is not reachable via SSL.

After removing the non-working domains the cert is created successfully and SSL is working.

Replication Steps

Create a new mailu setup, add multiple domains of which some are not pointing to the server.

Expected behaviour

There should be a certificate for the domains that are reachable and nginx should make those accessible with SSL on port 443.

Logs

2022-10-05T19:47:24.203180336Z   Domain: email.example.com
2022-10-05T19:47:24.203182530Z   Type:   dns
2022-10-05T19:47:24.203184754Z   Detail: no valid A records found for email.example.com; no valid AAAA records found for email.example.com
2022-10-05T19:47:24.203187149Z
2022-10-05T19:47:24.203189393Z Hint: The Certificate Authority couldn't exterally verify that the standalone plugin completed the required http-01 challenges. Ensure the plugin is configured correctly and that the changes it makes are accessible from the internet.
2022-10-05T19:47:24.203192008Z
2022-10-05T19:47:24.702017069Z 2022/10/05 21:47:24 [notice] 1#1: signal 1 (SIGHUP) received from 22, reconfiguring
2022-10-05T19:47:24.702118810Z 2022/10/05 21:47:24 [notice] 1#1: reconfiguring
2022-10-05T19:47:24.705542967Z 2022/10/05 21:47:24 [warn] 1#1: conflicting server name "" on 0.0.0.0:80, ignored
2022-10-05T19:47:24.705911789Z 2022/10/05 21:47:24 [notice] 1#1: using the "epoll" event method
2022-10-05T19:47:24.706081756Z 2022/10/05 21:47:24 [notice] 1#1: start worker processes
2022-10-05T19:47:24.706331032Z 2022/10/05 21:47:24 [notice] 1#1: start worker process 23
2022-10-05T19:47:24.706639951Z 2022/10/05 21:47:24 [notice] 1#1: start worker process 24
2022-10-05T19:47:24.706852248Z 2022/10/05 21:47:24 [notice] 1#1: start worker process 25
2022-10-05T19:47:24.730032307Z Hook 'post-hook' ran with output:
2022-10-05T19:47:24.730052144Z  Missing cert or key file, disabling TLS
2022-10-05T19:47:24.730291842Z Hook 'post-hook' ran with error output:
2022-10-05T19:47:24.730302613Z  nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
2022-10-05T19:47:24.732101009Z Some challenges have failed.
2022-10-05T19:47:24.732342892Z Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
@nextgens nextgens added priority/p1 (Critical) bug with workaround / Should have type/bug Bug. Not working as intended labels Oct 8, 2022
@nextgens nextgens mentioned this issue Oct 8, 2022
Merged
2 tasks
bors bot added a commit that referenced this issue Oct 8, 2022
@bors @nextgens
Merge #2468
e600f20 
2468: Ensure that Mailu keeps working even if it can't obtain a certificate from LE r=mergify[bot] a=nextgens

## What type of PR?

bug-fix

## What does this PR do?

Ensure that Mailu keeps working even if it can't obtain a certificate from letsencrypt for one of the HOSTNAMES

Without this TLS configuration would fail and Mailu would operate without TLS completely.

I haven't tested it but thought this used to work previously... maybe certbot has changed something

### Related issue(s)
- closes #2467

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
@bors bors bot closed this as completed in #2468 Oct 8, 2022
@nextgens
Copy link
Contributor

nextgens commented Oct 9, 2022

A fix has been released in v1.9.37

The previous status quo (where Mailu would start but disable TLS) was indeed unacceptable.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 16, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
priority/p1 (Critical) bug with workaround / Should have type/bug Bug. Not working as intended
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Ensure that Mailu keeps working even if it can't obtain a certificate from LE nextgens/Mailu
2 participants
@nextgens @bluepuma77