NeuroAgent

Why mailcow won't issue SSL certificate? Complete guide

Fix SSL certificate issues in mailcow: NAT reflection, port forwarding, reverse proxy configuration. Step-by-step instructions and solutions.

#lets-encrypt#mailcow-configuration#mailcow-docker#mailcow-ssl#nat-reflection#port-forwarding#ssl-troubleshooting

Why isn’t mailcow issuing an SSL certificate? I installed mailcow on my server, configured port forwarding, but the web interface is only accessible via HTTP. There is the following information in the logs: spoiler. Please help me determine where I made a mistake.

NeuroAgent

Mailcow Fails to Issue SSL Certificate: Common Causes and Solutions

Mailcow most commonly fails to issue SSL certificates due to NAT reflection issues, incorrect port forwarding configuration, or conflicts with reverse proxies. The main reasons include Let’s Encrypt rejecting domain verification due to network problems, incorrect port binding in the Mailcow configuration, or lack of proper routing for ACME challenges.

Table of Contents

Main SSL Issues in Mailcow

NAT reflection is the most common cause of SSL certificate problems in Mailcow. When the server is behind a NAT router, Let’s Encrypt cannot verify domain ownership because it cannot reach the server from outside through port forwarding.

In most cases, HTTP validation is skipped to bypass unknown NAT reflection issues that cannot be resolved by ignoring this specific network error

Another common issue is incorrect port binding in the Mailcow configuration. If you’re using non-standard ports (for example, HTTP_PORT=82), this can cause conflicts with system settings and interfere with the ACME client.

Problems also occur when:

  • There’s no proper routing for ports 80 and 443
  • The same ports are used on multiple devices
  • Firewall or proxy server settings are incorrect

NAT Reflection and Port Issues

NAT reflection occurs when a server tries to connect to itself through an external IP, but the router doesn’t properly handle such traffic. This is critical for Mailcow as Let’s Encrypt must be able to reach your server from outside.

NAT reflection symptoms:

  • Certificates don’t renew
  • Domain validation errors appear
  • TLSA records aren’t generated correctly

If you encounter TLSA record generation issues in the DNS review within Mailcow, you likely have NAT reflection problems that need to be fixed

To resolve NAT reflection issues:

  1. Ensure ports 80 and 443 are properly forwarded to your server
  2. Verify that your router supports hairpin NAT
  3. As a last resort, you can temporarily disable HTTP validation in the Mailcow configuration

Port Forwarding Configuration

Correct port forwarding configuration is key to solving SSL problems. Mailcow requires availability of the following ports:

  • TCP 80 - for Let’s Encrypt HTTP challenges
  • TCP 443 - for HTTPS challenges
  • TCP 25, 465, 587, 143, 993, 110, 995 - for mail services

Example iptables configuration for NAT:

bash
# Port forwarding for 25 (SMTP)
iptables -t nat -I PREROUTING -p tcp --dport 25 -d $WAN_IP -j DNAT --to $SERVER_IP:25

# Port forwarding for 443 (HTTPS)
iptables -t nat -I PREROUTING -p tcp --dport 443 -d $WAN_IP -j DNAT --to $SERVER_IP:443

Important: When using a reverse proxy (nginx, Traefik), you need to properly configure proxy challenges for Let’s Encrypt

If you’re using non-standard ports (as in your case with HTTP_PORT=82), ensure that:

  1. Port 80 is still accessible for ACME challenges
  2. The Mailcow configuration is correctly specified in mailcow.conf
  3. There are no conflicts with other services

Checking and Troubleshooting

To diagnose SSL problems in Mailcow, perform the following steps:

1. Check SSL Status

bash
docker compose logs acme-mailcow

Look for errors in the ACME client logs, such as:

  • validation failed
  • connection timeout
  • domain not resolved

2. Check Port Availability

bash
# Check external availability
curl -v http://your-domain/.well-known/acme-challenge/test

# Check internal availability
curl -v http://localhost/.well-known/acme-challenge/test

3. Reset SSL Configuration

If all checks pass but the problem persists:

bash
# Stop ACME service
docker compose stop acme-mailcow

# Remove old certificates
rm -rf data/assets/ssl/*

# Restart
docker compose start acme-mailcow

According to Mailcow documentation, stopping acme-mailcow for a day or two, deleting the data/assets/ssl folder, and restarting can solve many certificate problems

Additional Solutions

Using External Certificates

If Let’s Encrypt isn’t working, you can use:

  1. Existing certificates - simply copy them to data/assets/ssl/
  2. Certificates from other CAs - configure manual installation
  3. Certificates from nginx-proxy - as suggested by one user:

To solve this problem, I created a symbolic link from the /data/assets/ssl folder to the folder where all my certificates are stored (and updated by nginx-proxy), and created three symbolic links there to get the correct filenames for dovecot and postfix

Reverse Proxy Configuration

When using a reverse proxy:

  1. Ensure the proxy correctly redirects /.well-known/acme-challenge/
  2. Configure SNI for multi-domain support
  3. Verify that certificate paths match

If you enable TLS SNI (ENABLE_SSL_SNI in mailcow.conf), certificate paths in your reverse proxy should match the correct paths in data/assets/ssl/

Multiple Certificates

To support multiple domains on one certificate:

bash
# In mailcow.conf
ADDITIONAL_SAN=imap.*,smtp.*,autoconfig.*,autodiscover.*

This will extend the certificate to include “imap.example.com”, “smtp.example.com”, “autoconfig.example.com”, “autodiscover.example.com

Sources

  1. Advanced SSL - mailcow: dockerized documentation
  2. Mailcow SSL not working - Server Fault
  3. Fresh install of mailcow, SSL certificate not working - mailcow community
  4. Fresh Installed, https & ssl not working - GitHub issue
  5. SSL certificate issues - GitHub issue
  6. Email Certificate Problem - Reddit
  7. Docker Mailcow: How to renew the certificate - Server Fault

Conclusion

The main reasons Mailcow fails to issue SSL certificates:

  1. NAT reflection problems - the most common cause, requiring hairpin NAT setup or port forwarding configuration
  2. Incorrect port configuration - especially when using non-standard ports for HTTP
  3. Conflicts with reverse proxies - incorrect ACME challenge redirection setup

Recommended actions:

  • Check ACME client logs via docker compose logs acme-mailcow
  • Verify external accessibility of ports 80 and 443
  • If needed, reset SSL configuration by deleting the data/assets/ssl folder
  • Consider using external certificates as a temporary solution

If the problem persists, provide more information about your network configuration and log contents for more accurate diagnosis.

How to configure NAT reflection for mailcow?mailcow doesn't update SSL certificate - what to do?How to use external SSL certificates in mailcow?mailcow and reverse proxy - proper SSL configurationHow to check port availability for mailcow?mailcow ACME client errors - diagnosis and solution
Ask NeuroAgent