MDaemon Technologies, Ltd.

peter

8/4/23, 3:46 AM

Hello All,

We have a mail server thats been running fine for about 6 months or more, however for no reason that I can dicern the ssl letsencrypt funcrion no longer works, we are licneces and fully uptodate I belive.

MDaemon Server (64-bit)

 SMTP/POP/IMAP server: v23.0.2
  Webmail HTTP server: v23.0.2
  Webmail DLL: v23.0.2
  MDaemon Instant Messenger client: v22.0.1
  Content filter server: v23.0.2
  Content filter DLL: v23.0.2
  Content filter GUI: v23.0.2

  Calendar API (MDCalendar.dll): v23.0.2
  Mailing list API (MDList.dll): v23.0.2
  Original "Flat-File" API (MDUser.dll): v23.0.2
  COM/DCOM API (MDUserCOM.dll): v23.0.2
  LDAP API (MDUserLDAP.dll): v23.0.2
  ODBC/SQL API (MDUserODBC.dll): v23.0.2
  Cluster Service (64bit) (ClstrSvc.dll): 23.0.2.2
  Dynamic Screening (64bit) (DynScrn.dll): 23.0.2.6
  ActiveSync Mgmt Module (64bit) (MDASMgmt.dll): 23.0.2.15
  AutoDiscovery Service (64bit) (MDAutoDiscover.dll): 23.0.2.3
  Message Indexing (64bit) (MdMbSrch.dll): 23.0.2.2
  Management Web Service (64bit) (MDMgmtWS.dll): 23.0.2.4
  MDPGP (mdpgp.dll): 23.0.2
  MDOP (mdop.dll): 1.3.8
  ActiveSync (MDAirSync.dll): v23.0.2.36
  NT/2K/XP utility API (NTUtil.dll): v23.0.2
  DKIM API (LibDKIM.dll): v1.0.21
  AntiSpam server daemon (MDSpamD): v3.4.4
  CalDAV/CardDAV (MDWebDAV.dll): v23.0.2
  XMPP server (WCXMPPServer.exe): v23.0.2

MDaemon AntiVirus:

  AV overall system: v23.0.2
  AV engine source: MDaemon Technologies, Ltd
  AV last virus update: 2023-08-04 07:46:24
  Outbreak Protection (MDOP.dll): v1.3.8

MDaemon Connector:

  Plug-in: v7.0.7

Remote Administration Server:

  HTTP server: v23.0.2

When I run the scrip manually I get the following:

Starting Script run at 08/04/2023 10:50:08.

Checking HKLM:\SOFTWARE\Alt-N Technologies\MDaemon
Checking HKLM:\SOFTWARE\Alt-N Technologies\MDaemon
Checking HKLM:\SOFTWARE\Alt-N Technologies\WebAdmin
Checking HKLM:\SOFTWARE\Alt-N Technologies\WebAdmin
Starting Script run at 08/04/2023 10:50:08.
Get the MDaemon paths.
The MDaemon.ini Path is D:\MDaemon\App\MDaemon.ini.
The MDaemon APP Path is D:\MDaemon\App\.
The MDaemon Pem path is D:\MDaemon\PEM\.
The MDaemon Log path is D:\MDaemon\Logs\.
The MDaemon RAW path is D:\MDaemon\Queues\Raw\.
The WorldClient Path is D:\MDaemon\WorldClient.
The WorldClient HTML Path is D:\MDaemon\WorldClient\HTML.
The well-known path is D:\MDaemon\WorldClient\HTML\.well-known.
The Acme-Challenge path is D:\MDaemon\WorldClient\HTML\.well-known\Acme-challenge.
The State Path is D:\MDaemon\PEM\_LEState.
The FQDN is set to mail2.kee.go.ug.
The email address is set to postmaster@mail2.kee.go.ug.
Setting the system to use the LetsEncrypt Live Service.
The certificate thumbrpint in the MDaemon.ini file is XXXX XXXX XXXX ECA3 46B3 3DCF 1975.
Looking for the local certificate.
The certificate is not from LetsEncrypt, requesting a new certificate.
Importing the ACMESharp module.
Getting an updated state.
The account is setup and the status is valid.
Getting another updated state, just in case.
Getting an updated state.
Getting service directory.

ResourceUrl : https://acme-v02.api.letsencrypt.org/directory
NewAccount  : https://acme-v02.api.letsencrypt.org/acme/new-acct
NewAuthz    : 
NewNonce    : https://acme-v02.api.letsencrypt.org/acme/new-nonce
NewOrder    : https://acme-v02.api.letsencrypt.org/acme/new-order
KeyChange   : https://acme-v02.api.letsencrypt.org/acme/key-change
RevokeCert  : https://acme-v02.api.letsencrypt.org/acme/revoke-cert
Meta        : AcmeDirectoryMeta

Getting a new Nonce
891FsRWUqlrWfxRnWfkx96Yu9PaZ_hnd2SJdysFScIm0lIo
Getting identifier for mail2.kee.go.ug.
Getting identifier for mail2.kee.go.ug.
Getting identifier for .
Getting identifier for .
Creating new certificate.
The script is stopping because an error occurred.
New-ACMEIdentifier : Cannot validate argument on parameter 'Value'. The argument is null or empty. Provide an argument that is not null or empty, 
and then try the command again.
At D:\MDaemon\LetsEncrypt\letsencrypt.ps1:579 char:38
+     $Identifier = New-ACMEIdentifier $domain -ErrorVariable LogText
+                                      ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [New-ACMEIdentifier], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,New-ACMEIdentifier
 
PS D:\MDaemon\LetsEncrypt>

The error seems to revolve arround:

$Identifier = New-ACMEIdentifier $domain -ErrorVariable LogText

Any advise on were to look?

In the meantime have I setup selfsigned certificates, not ideal but...

I've done a tests with poshac.me (https://poshac.me/docs/v4/Tutorial/) and all seems well so i ruled out any systems/connectiviry related issues.

27
Posts

1.1k
Views

A

Arron Staff

8/4/23, 6:48 AM

There is a bug in the script included with MDaemon 23.0.2 that can cause an error to be returned if no alternate host names are passed to the script. It looks to me like that is what is occurring.

You can work around the problems in a couple of different ways.

If you have an alternate host name that you can send to the script using the -AlternateHostNames parameter, adding this to your command line should fix the issue.

You can revert to the script that came with the previous version.

You can edit the script and find this line around line 721 in the file:

$HostNames += $AlternateHostNames

And change it to this:

if($AlternateHostNames.Length -gt 0){
$HostNames += $AlternateHostNames
}

p

peter

8/4/23, 7:03 AM

Thank you Arron, this got me further but then another error happened :(

Starting Script run at 08/04/2023 15:08:38.

Checking HKLM:\SOFTWARE\Alt-N Technologies\MDaemon
Checking HKLM:\SOFTWARE\Alt-N Technologies\MDaemon
Checking HKLM:\SOFTWARE\Alt-N Technologies\WebAdmin
Checking HKLM:\SOFTWARE\Alt-N Technologies\WebAdmin
Starting Script run at 08/04/2023 15:08:38.
Get the MDaemon paths.
The MDaemon.ini Path is D:\MDaemon\App\MDaemon.ini.
The MDaemon APP Path is D:\MDaemon\App\.
The MDaemon Pem path is D:\MDaemon\PEM\.
The MDaemon Log path is D:\MDaemon\Logs\.
The MDaemon RAW path is D:\MDaemon\Queues\Raw\.
The WorldClient Path is D:\MDaemon\WorldClient.
The WorldClient HTML Path is D:\MDaemon\WorldClient\HTML.
The well-known path is D:\MDaemon\WorldClient\HTML\.well-known.
The Acme-Challenge path is D:\MDaemon\WorldClient\HTML\.well-known\Acme-challenge.
The State Path is D:\MDaemon\PEM\_LEState.
The FQDN is set to mail2.kee.go.ug.
The email address is set to postmaster@mail2.kee.go.ug.
Setting the system to use the LetsEncrypt Live Service.
The certificate thumbrpint in the MDaemon.ini file is 2BB0 6F83 5B37 ECA3 46B3 3DCF 1975 6670 BD54 83C5.
Looking for the local certificate.
The certificate is not from LetsEncrypt, requesting a new certificate.
Importing the ACMESharp module.
Getting an updated state.
The account is setup and the status is valid.
Getting another updated state, just in case.
Getting an updated state.
Getting service directory.


ResourceUrl : https://acme-v02.api.letsencrypt.org/directory
NewAccount  : https://acme-v02.api.letsencrypt.org/acme/new-acct
NewAuthz    : 
NewNonce    : https://acme-v02.api.letsencrypt.org/acme/new-nonce
NewOrder    : https://acme-v02.api.letsencrypt.org/acme/new-order
KeyChange   : https://acme-v02.api.letsencrypt.org/acme/key-change
RevokeCert  : https://acme-v02.api.letsencrypt.org/acme/revoke-cert
Meta        : AcmeDirectoryMeta

Getting a new Nonce
371CoOWREPiWgvFf4I4x30vVPrS1BHmd8UrBANI2Gs2vG6U
Getting identifier for mail2.kee.go.ug.
Getting identifier for mail2.kee.go.ug.
Creating new certificate.
Getting another updated state, just in case it has changed.
Creating a new order for mail2.kee.go.ug using dns:mail2.kee.go.ug
Getting an updated state.
Getting service directory.
ResourceUrl : https://acme-v02.api.letsencrypt.org/directory
NewAccount  : https://acme-v02.api.letsencrypt.org/acme/new-acct
NewAuthz    : 
NewNonce    : https://acme-v02.api.letsencrypt.org/acme/new-nonce
NewOrder    : https://acme-v02.api.letsencrypt.org/acme/new-order
KeyChange   : https://acme-v02.api.letsencrypt.org/acme/key-change
RevokeCert  : https://acme-v02.api.letsencrypt.org/acme/revoke-cert
Meta        : AcmeDirectoryMeta

Getting an authorization for the dns:mail2.kee.go.ug.
Getting service directory.
ResourceUrl : https://acme-v02.api.letsencrypt.org/directory
NewAccount  : https://acme-v02.api.letsencrypt.org/acme/new-acct
NewAuthz    : 
NewNonce    : https://acme-v02.api.letsencrypt.org/acme/new-nonce
NewOrder    : https://acme-v02.api.letsencrypt.org/acme/new-order
KeyChange   : https://acme-v02.api.letsencrypt.org/acme/key-change
RevokeCert  : https://acme-v02.api.letsencrypt.org/acme/revoke-cert
Meta        : AcmeDirectoryMeta

Getting an updated state.
The .well-known path for is D:\MDaemon\WorldClient\HTML\.well-known
The Acme Challenge path for D:\MDaemon\WorldClient\HTML\.well-known\Acme-challenge
Selecting the http-01 challenge and getting challenge data for dns:mail2.kee.go.ug.
Creating challenge file.
The challenge status URL is https://acme-v02.api.letsencrypt.org/acme/chall-v3/251865621486/X-01yA.
The challenge identifier is dns:mail2.kee.go.ug.
The URL to verify the challenge is mail2.kee.go.ug/.well-known/acme-challenge/e8dv0Q7qIWQyFlWUzdSRwcKo5eD9fpx1T1MQ8NUqqno.
The Challenge file name for dns:mail2.kee.go.ug is e8dv0Q7qIWQyFlWUzdSRwcKo5eD9fpx1T1MQ8NUqqno
The Challenge Content for dns:mail2.kee.go.ug is e8dv0Q7qIWQyFlWUzdSRwcKo5eD9fpx1T1MQ8NUqqno.XpejgSesqQANuVPyLceTwN158x8H-HFy1IDiaBn1BaY
Creating D:\MDaemon\WorldClient\HTML\.well-known\Acme-challenge\e8dv0Q7qIWQyFlWUzdSRwcKo5eD9fpx1T1MQ8NUqqno for dns:mail2.kee.go.ug.
LastWriteTime : 04/08/2023 15:08:46
Length        : 87
Name          : e8dv0Q7qIWQyFlWUzdSRwcKo5eD9fpx1T1MQ8NUqqno

Submitting the ACME challenge for dns:mail2.kee.go.ug for verification.
ResourceUrl       : https://acme-v02.api.letsencrypt.org/acme/order/1094979007/199368893166
Status            : pending
Expires           : 2023-08-11T12:08:48Z
NotBefore         : 
NotAfter          : 
Identifiers       : {dns:mail2.kee.go.ug}
AuthorizationUrls : {https://acme-v02.api.letsencrypt.org/acme/authz-v3/251865621486}
FinalizeUrl       : https://acme-v02.api.letsencrypt.org/acme/finalize/1094979007/199368893166
CertificateUrl    : 
CSROptions        : AcmeCsrOptions

Waiting for the order status to update... 0
ResourceUrl       : https://acme-v02.api.letsencrypt.org/acme/order/1094979007/199368893166
Status            : invalid
Expires           : 2023-08-11T12:08:48Z
NotBefore         : 
NotAfter          : 
Identifiers       : {dns:mail2.kee.go.ug}
AuthorizationUrls : {https://acme-v02.api.letsencrypt.org/acme/authz-v3/251865621486}
FinalizeUrl       : https://acme-v02.api.letsencrypt.org/acme/finalize/1094979007/199368893166
CertificateUrl    : 
CSROptions        : AcmeCsrOptions

Waiting for the order status to update... 1
Error: The challenge did not complete.

                Host Name: mail2.kee.go.ug
                Error Code: 400
                Error Type: urn:ietf:params:acme:error:connection
                Error Detail: 212.88.113.90: Fetching http://mail2.kee.go.ug/.well-known/acme-challenge/e8dv0Q7qIWQyFlWUzdSRwcKo5eD9fpx1T1MQ8NUqqno: T
imeout during connect (likely firewall problem)
This is a critical error, the script will now stop.
Information obtained from the following URLs: https://acme-v02.api.letsencrypt.org/acme/authz-v3/251865621486
Unable to send an error email. No To address was specified.

Would you be able to advise whats ports need to be opened? I thought all we needed was 80 and 443 for lets encypt?

Waiting for the order status to update... 1
Error: The challenge did not complete.
                Host Name: mail2.kee.go.ug
                Error Code: 400
                Error Type: urn:ietf:params:acme:error:connection
                Error Detail: 212.88.113.90: Fetching http://mail2.kee.go.ug/.well-known/acme-challenge/0bSNY9xMqsv3ENIsE_4dIUYpv-PePIPvQeOGlq-RknM: T
imeout during connect (likely firewall problem)
This is a critical error, the script will now stop.
Information obtained from the following URLs: https://acme-v02.api.letsencrypt.org/acme/authz-v3/251863183736
Unable to send an error email. No To address was specified.

A

Arron Staff

8/4/23, 7:31 AM

I'm unable to connect to http://mail2.kee.go.ug, I get a connection time out. The log you posted shows that LetsEncrypt is also getting a timeout, error 400, while trying to connect to your server.

Is webmail running?

Can you connect to it locally?

Is it listening on port 80 and 443? Yes these should be the only ports you need open for LetsEncrypt.

Is your firewall allowing the connections through and passing them to the mail server?

p

peter

8/4/23, 7:57 AM

from google chrome I can access the site, on https (https://mail2.kee.go.ug/) but not http as all http trafic is routed to https via mdaemons own mail server.

A

Arron Staff

8/4/23, 8:06 AM

HTTP is working for me now. LetsEncrypt should follow the redirect.

Based on the dates for the certificate, it looks like you were able to get it working. Can you confirm? What did you change to get it to work?

p

peter

8/4/23, 8:07 AM

Hi Arron, I found out the last issue, for some reason the http port was back on 3000? I assume that this was an update? possible to advise if theres an automated way of ensuing the port remain consistat accross updates?

Other than that thank you, for your help in this matter,

p

peter

8/4/23, 8:12 AM

OK, I found another anomaly related to the Let's Encrypt procedure. It seems that the self-signed certificate recognizes both mail2.kee.go.ug and mail1.kee.go.ug, but when using Let's Encrypt, it only recognizes the primary mail2.kee.go.ug.

p

peter

8/4/23, 8:19 AM

@Arron yes thankyou, lets encrypt works mostly, it is usable right now, as long as we don't need to use the backup link.

'I found another anomaly related to the Let's Encrypt procedure. It seems that the self-signed certificate recognizes both mail2.kee.go.ug and mail1.kee.go.ug, but when using Let's Encrypt, it only recognizes the primary mail2.kee.go.ug."

A

Arron Staff

8/4/23, 8:23 AM

An update should not alter the port. The script is already checking the port to make sure its listening on port 80. It checks the following value in the WorldClient.ini file.

[WebServer]
Port=3000

However, there are some exceptions that would allow the script to continue running even if it were not configured to listen on port 80.

If ActiveSync is enabled the script continues because the ActiveSync server forces the HTTP server to listen on port 80 in addition to the ports that are configured.

If you have webmail configured to run under IIS, the script will also continue if the port is set to 3000 as the port is not used in this case.

Have either of those settings been changed recently?

A

Arron Staff

8/4/23, 8:26 AM

When using LetsEncrypt, it will retrieve the default host name from MDaemon. If there are additional host names you want it to use, you need to add them to the list of alternate host names. In MDaemon go to Security / Security Settings / SSL & TLS / LetsEncrypt. In the field for alternate host names add mail1.kee.go.ug. Click Apply and then click Run Now.

The script will run and as long as the challenges complete correctly and everything else works as it is supposed to, you will get a certificate that supports both host names.

p

peter

8/4/23, 8:35 AM

@Arron I have looked, it all seems correct, mail1.kee.go.ug is present in the letsencrypt settings and it did work previously, I am not aware of any changes that I have made, we do backup the system daily so I can go through the backups to check.

A

Arron Staff

8/4/23, 8:46 AM

Where did you get the script output that you posted to this thread? Did you run the script manually or was that from a script run where MDaemon executed the script? I'm asking because the output does not include mail1.kee.go.ug. This would happen if you ran the script manually and did not include the -alternatehostnames parameter in the command line.

p

peter

8/4/23, 9:08 AM

If i may, I also made a chnage to the letsencrypt.ps1, line 717

$LetsEncryptLog = Join-Path $MDLogPath "LetsEncrypt" + "_" + $MyYear + "_" + $MyMonth + "_" + $MyTicks + ".log"

Just to aid trouble shooting, would this course any issues, that you can think of?

A

Arron Staff

8/4/23, 9:20 AM

Altering the log file name shouldn't cause any issues. It will just create a unique log file for each script run.

The default settings create a single file on disk and then append to the log file each time the script is ran.

p

peter

8/4/23, 10:24 AM

@Arron Thank you, I think we can close this for now, the logs files don't contain any history beyond a couple of attempts, maybe it got wipped with the update, as its the same on our other servers.

A

Arron Staff

8/4/23, 10:34 AM

If you have log archiving enabled, the LetsEncrypt log will be moved into the archive file and a new log will be started on the next script run.

p

peter

8/21/23, 4:09 AM

Hi Seems a not so simlair issue has come up! but.. :(

To my knowlage we have not changed anything, possible to advise.

Starting Script run at 08/21/2023 12:06:02.
Get the MDaemon paths.
The MDaemon.ini Path is D:\MDaemon\App\MDaemon.ini.
The MDaemon APP Path is D:\MDaemon\App\.
The MDaemon Pem path is D:\MDaemon\PEM\.
The MDaemon Log path is E:\MDaemon\Logs\.
The MDaemon RAW path is D:\MDaemon\Queues\Raw\.
The WorldClient Path is D:\MDaemon\WorldClient.
The WorldClient HTML Path is D:\MDaemon\WorldClient\HTML.
The well-known path is D:\MDaemon\WorldClient\HTML\.well-known.
The Acme-Challenge path is D:\MDaemon\WorldClient\HTML\.well-known\Acme-challenge.
The State Path is D:\MDaemon\PEM\_LEState.
The FQDN is set to mail1.cfts.co.
The email address is set to postmaster@mail1.cfts.co.
Setting the system to use the LetsEncrypt Live Service.
The certificate thumbrpint in the MDaemon.ini file is B1FA C775 2BC2 CDD9 9990 A278 E52D AC34 1637 381D.
Looking for the local certificate.
I found a certifcate from LetsEncrypt.
The certificate is still valid for 30 days.
Host names: mail1.cfts.co mail2.cfts.co autodiscover.cfts.co webmail.cfts.co
Certificate host names: mail1.cfts.co mail2.cfts.co webmail.cfts.co
The list of alternate host names has changed. The alias for the certificate needs to be changed.
The list of host names has changed.  A new certificate will be requested.
Importing the ACMESharp module.
Getting an updated state.
The account is setup and the status is valid.
Getting an updated state.
Getting service directory.
Getting a new Nonce
Getting identifier for mail1.cfts.co.
Getting identifier for mail1.cfts.co.
Getting identifier for mail2.cfts.co.
Getting identifier for mail2.cfts.co.
Getting identifier for autodiscover.cfts.co.
Getting identifier for autodiscover.cfts.co.
Getting identifier for webmail.cfts.co.
Getting identifier for webmail.cfts.co.
Creating new certificate.
Creating a new order for mail1.cfts.co using dns:mail1.cfts.co dns:mail2.cfts.co dns:autodiscover.cfts.co dns:webmail.cfts.co
Getting an updated state.
Getting service directory.
Getting an authorization for the dns:autodiscover.cfts.co dns:mail1.cfts.co dns:mail2.cfts.co dns:webmail.cfts.co.
Getting service directory.
Getting an updated state.
The .well-known path for is D:\MDaemon\WorldClient\HTML\.well-known
The Acme Challenge path for D:\MDaemon\WorldClient\HTML\.well-known\Acme-challenge
Selecting the http-01 challenge and getting challenge data for dns:webmail.cfts.co.
The challenge status URL is https://acme-v02.api.letsencrypt.org/acme/chall-v3/252742915216/gvYXsA.
The challenge identifier is dns:webmail.cfts.co.
The URL to verify the challenge is webmail.cfts.co/.well-known/acme-challenge/nh8H-gTkoXzsqiXCnwsOq0soqlqfiC_q6qtZTfjhsF0.
The Challenge file name for dns:webmail.cfts.co is nh8H-gTkoXzsqiXCnwsOq0soqlqfiC_q6qtZTfjhsF0
The Challenge Content for dns:webmail.cfts.co is nh8H-gTkoXzsqiXCnwsOq0soqlqfiC_q6qtZTfjhsF0.MZqOYYhvBrJGDP8_fk9RDUabkWVEhezjB1WAtbrmPOM
The Challenge file name for dns:webmail.cfts.co already exists, removing file.
Creating D:\MDaemon\WorldClient\HTML\.well-known\Acme-challenge\nh8H-gTkoXzsqiXCnwsOq0soqlqfiC_q6qtZTfjhsF0 for dns:webmail.cfts.co.
Submitting the ACME challenge for dns:webmail.cfts.co for verification.
Selecting the http-01 challenge and getting challenge data for dns:autodiscover.cfts.co.
The challenge status URL is https://acme-v02.api.letsencrypt.org/acme/chall-v3/256952754886/rhTZ1w.
The challenge identifier is dns:autodiscover.cfts.co.
The URL to verify the challenge is autodiscover.cfts.co/.well-known/acme-challenge/8pavKLmwm-i6fVE_fM4ey35Yfm966KXnlesTP0F7Sjc.
The Challenge file name for dns:autodiscover.cfts.co is 8pavKLmwm-i6fVE_fM4ey35Yfm966KXnlesTP0F7Sjc
The Challenge Content for dns:autodiscover.cfts.co is 8pavKLmwm-i6fVE_fM4ey35Yfm966KXnlesTP0F7Sjc.MZqOYYhvBrJGDP8_fk9RDUabkWVEhezjB1WAtbrmPOM
Creating D:\MDaemon\WorldClient\HTML\.well-known\Acme-challenge\8pavKLmwm-i6fVE_fM4ey35Yfm966KXnlesTP0F7Sjc for dns:autodiscover.cfts.co.
Submitting the ACME challenge for dns:autodiscover.cfts.co for verification.
Selecting the http-01 challenge and getting challenge data for dns:mail1.cfts.co.
The challenge status URL is https://acme-v02.api.letsencrypt.org/acme/chall-v3/256952754896/Pc46NA.
The challenge identifier is dns:mail1.cfts.co.
The URL to verify the challenge is mail1.cfts.co/.well-known/acme-challenge/eScLNKI3nqlZGIkoSlcody0v1RQmaqdDOja2ln0sPhI.
The Challenge file name for dns:mail1.cfts.co is eScLNKI3nqlZGIkoSlcody0v1RQmaqdDOja2ln0sPhI
The Challenge Content for dns:mail1.cfts.co is eScLNKI3nqlZGIkoSlcody0v1RQmaqdDOja2ln0sPhI.MZqOYYhvBrJGDP8_fk9RDUabkWVEhezjB1WAtbrmPOM
Creating D:\MDaemon\WorldClient\HTML\.well-known\Acme-challenge\eScLNKI3nqlZGIkoSlcody0v1RQmaqdDOja2ln0sPhI for dns:mail1.cfts.co.
Submitting the ACME challenge for dns:mail1.cfts.co for verification.
Selecting the http-01 challenge and getting challenge data for dns:mail2.cfts.co.
The challenge status URL is https://acme-v02.api.letsencrypt.org/acme/chall-v3/256952754906/M7R15Q.
The challenge identifier is dns:mail2.cfts.co.
The URL to verify the challenge is mail2.cfts.co/.well-known/acme-challenge/Cp3axPhxl3vwSbvbKd03NPu-u83lrGJO5jZyXHfUb1E.
The Challenge file name for dns:mail2.cfts.co is Cp3axPhxl3vwSbvbKd03NPu-u83lrGJO5jZyXHfUb1E
The Challenge Content for dns:mail2.cfts.co is Cp3axPhxl3vwSbvbKd03NPu-u83lrGJO5jZyXHfUb1E.MZqOYYhvBrJGDP8_fk9RDUabkWVEhezjB1WAtbrmPOM
Creating D:\MDaemon\WorldClient\HTML\.well-known\Acme-challenge\Cp3axPhxl3vwSbvbKd03NPu-u83lrGJO5jZyXHfUb1E for dns:mail2.cfts.co.
Submitting the ACME challenge for dns:mail2.cfts.co for verification.
Waiting for the order status to update... 0
Error: The challenge did not complete.

                Host Name: autodiscover.cfts.co
                Error Code: 400
                Error Type: urn:ietf:params:acme:error:connection
                Error Detail: 41.190.136.10: Fetching http://autodiscover.cfts.co/.well-known/acme-challenge/8pavKLmwm-i6fVE_fM4ey35Yfm966KXnlesTP0F7Sjc: Timeout during connect (likely firewall problem)

                Host Name: mail1.cfts.co
                Error Code: 400
                Error Type: urn:ietf:params:acme:error:connection
                Error Detail: 41.190.136.10: Fetching http://mail1.cfts.co/.well-known/acme-challenge/eScLNKI3nqlZGIkoSlcody0v1RQmaqdDOja2ln0sPhI: Timeout during connect (likely firewall problem)

                Host Name: mail2.cfts.co
                Error Code: 400
                Error Type: urn:ietf:params:acme:error:connection
                Error Detail: 41.190.136.10: Fetching http://mail2.cfts.co/.well-known/acme-challenge/Cp3axPhxl3vwSbvbKd03NPu-u83lrGJO5jZyXHfUb1E: Timeout during connect (likely firewall problem)
This is a critical error, the script will now stop.
Information obtained from the following URLs: https://acme-v02.api.letsencrypt.org/acme/authz-v3/252742915216 https://acme-v02.api.letsencrypt.org/acme/authz-v3/256952754886 https://acme-v02.api.letsencrypt.org/acme/authz-v3/256952754896 https://acme-v02.api.letsencrypt.org/acme/authz-v3/256952754906

A

Arron Staff

8/21/23, 7:10 AM

The log shows that the HTTP challenges are failing with error 400, Timeout during connect. I received the same error when I attempted to connect to http://autodiscover.cfts.co. I was able to connect to mail1.cfts.co and mail2.cfts.co.

Upon further investigation, it seems you have HTTP redirecting to HTTPS, but the LetsEncrypt certificate that is currently in place only supports mail1.cfts.co, mail2.cfts.co, and webmail.cfts.co. Have you recently added autodiscover.cfts.co to the list of support host names?

I can see when I try to connect directly to https://autodiscover.cfts.co, I get a certificate error. When I try to connect to http://autodiscover.cfts.co, I get a time out.

Try turning off the redirect to https, have MDaemon run the LetsEncrypt process and request a certificate that is valid for autodiscover, mail1, and mail2. Once the script has been retrieved and MDaemon has been configured to use it, turn the redirect to HTTPS back on.

Was the LetsEncrypt process able to complete? Did it retrieve the desired certificate? Did you get any errors?

p

peter

8/21/23, 12:27 PM

Hi Arron,

LetsEncrypt certificate that is currently in place only supports mail1.cfts.co, mail2.cfts.co, and webmail.cfts.co. Have you recently added autodiscover.cfts.co to the list of support host names? Yes to all
Try turning off the redirect to https, done, also remove all firewalls for the test just in case, no change.
LetsEncrypt process was not able to complet the very same error persists same error.

As a side note I installed caddy a reverse proxy using lets encrypt as a test, all cetificates were got!

I will do further test tomorrow.

LetsEncrypt stooped working with error: Cannot validate argument on parameter 'Value'.