Ssl_certificates fails to install cert for box because letsencrypt is picking up the internal address

The external address is 69.9.15.39 for box.summertrail.org and the internal address is 10.9.26.107.

Both the custom and external DNS do not have any records for 10.9.26.107. checking external DNS using dig
produces:

root@box:~/mailinabox/management# dig box.summertrail.org +trace
box.summertrail.org. 1799 IN A 69.9.15.39
summertrail.org. 1800 IN NS dns1.registrar-servers.com.
summertrail.org. 1800 IN NS dns2.registrar-servers.com.
;; Received 123 bytes from 156.154.133.200#53(dns2.registrar-servers.com) in 44 ms

I don’t get it. Any help here would be appreciated, since I can no longer get any email in.

root@box:~/mailinabox/management# ./ssl_certificates.py
skipped: box.summertrail.org:
The domain name does not resolve to this machine: 10.9.26.107 (A).

skipped: mta-sts.box.summertrail.org:
The domain has a valid certificate already. (The certificate expires in 73 days on 2025-08-01. Certificate: /home/user-data/ssl/mta-sts.box.summertrail.org-20250801-aa2929af.pem, private key /home/user-data/ssl/ssl_private_key.pem)

skipped: summertrail.org:
The domain has a valid certificate already. (The certificate expires in 89 days on 2025-08-17. Certificate: /home/user-data/ssl/summertrail.org-20250817-6c195f7f.pem, private key /home/user-data/ssl/ssl_private_key.pem)

skipped: autoconfig.summertrail.org:
The domain has a valid certificate already. (The certificate expires in 71 days on 2025-07-30. Certificate: /home/user-data/ssl/autoconfig.summertrail.org-20250730-e12600f6.pem, private key /home/user-data/ssl/ssl_private_key.pem)

skipped: autodiscover.summertrail.org:
The domain has a valid certificate already. (The certificate expires in 89 days on 2025-08-17. Certificate: /home/user-data/ssl/summertrail.org-20250817-6c195f7f.pem, private key /home/user-data/ssl/ssl_private_key.pem)

skipped: mta-sts.summertrail.org:
The domain has a valid certificate already. (The certificate expires in 72 days on 2025-07-31. Certificate: /home/user-data/ssl/mta-sts.summertrail.org-20250731-b23068af.pem, private key /home/user-data/ssl/ssl_private_key.pem)

skipped: mta-sts.mta-sts.summertrail.org:
The domain name does not resolve to this machine: [Not Set] (A).

skipped: www.summertrail.org:
The domain name does not resolve to this machine: 10.9.26.107 (A).

Thanks,
ted

Please rerun the setup. I can ping your public IP and all the ports, so it is not ports.

curl -s https://mailinabox.email/setup.sh | sudo -E bash

Still have a problem. Here is the results of running setup.sh
root@box:~# chmod 755 ./setup.sh
root@box:~# ./setup.sh

┌────────────────────────Mail-in-a-Box Installation──────────────────────────┐
│ Hello and thanks for deploying a Mail-in-a-Box! │
│ │
│ I’m going to ask you a few questions. │
│ │
│ To change your answers later, just run ‘sudo mailinabox’ from the command │
│ line. │
│ │
│ NOTE: You should only install this on a brand new Ubuntu installation 100% │
│ dedicated to Mail-in-a-Box. Mail-in-a-Box will, for example, remove │
│ apache2. │
│ │
├────────────────────────────────────────────────────────────────────────────┤
│ < OK > │
└────────────────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────Hostname───────────────────────────────────┐
│ This box needs a name, called a ‘hostname’. The name will form a part of │
│ the box’s web address. │
│ │
│ We recommend that the name be a subdomain of the domain in your email │
│ address, so we’re suggesting box.summertrail.org. │
│ │
│ You can change it, but we recommend you don’t. │
│ │
│ Hostname: │
│ ┌────────────────────────────────────────────────────────────────────────┐ │
│ │box.summertrail.org │ │
│ └────────────────────────────────────────────────────────────────────────┘ │
├────────────────────────────────────────────────────────────────────────────┤
│ < OK > │
└────────────────────────────────────────────────────────────────────────────┘

Primary Hostname: box.summertrail.org
Public IP Address: 69.9.15.39
Private IP Address: 10.9.26.107
Mail-in-a-Box Version: v71a

Updating system packages…
Installing system packages…
Initializing system random number generator…
Opening alternate SSH port 2222.
Firewall is active and enabled on system startup
Synchronizing state of fail2ban.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable fail2ban
Installing nsd (DNS server)…
Installing Postfix (SMTP server)…
Installing Dovecot (IMAP server)…
Installing OpenDKIM/OpenDMARC…
Installing SpamAssassin…
bayes: synced databases from journal in 0 seconds: 1057 unique entries (1384 total entries)
Installing Nginx (web server)…
Installing Roundcube (webmail)…
Installing Nextcloud (contacts/calendar)…
Nextcloud is already latest version
Installing Z-Push (Exchange/ActiveSync server)…
Installing Mail-in-a-Box system management daemon…
Installing Munin (system monitoring)…
updated DNS: OpenDKIM configuration

Your Mail-in-a-Box is running.

Please log in to the control panel for further instructions at:

https://69.9.15.39/admin

You will be alerted that the website has an invalid certificate. Check that
the certificate fingerprint matches:

C4:71:54:7F:B9:42:4E:2C:DC:8E:03:D6:74:22:40:1E:29:B3:F1:92:1E:17:62:6A:61:ED:0F:BF:CD:49:64:0C

Then you can confirm the security exception and continue.

But then on the SSL page

box.summertrail.org Certificate has a problem: The certificate has expired or is not yet valid. It is valid from 2025-02-17 07:20:52 to 2025-05-18 07:20:51.

But then I reran ssl_certificates.py and lo and behold…

installed: box.summertrail.org, www.summertrail.org:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for box.summertrail.org and www.summertrail.org

Successfully received certificate.
Certificate is saved at: /tmp/tmp8mzdvhm3/cert
Intermediate CA chain is saved at: /tmp/tmp8mzdvhm3/chain
Full certificate chain is saved at: /tmp/tmp8mzdvhm3/cert_and_chain.pem
This certificate expires on 2025-08-17.
NEXT STEPS:

• Certificates created using --csr will not be renewed automatically by Certbot. You will need to renew the certificate before it expires, by running the same Certbot command again.

If you like Certbot, please consider supporting our work by:

• Donating to ISRG / Let’s Encrypt: Support Encryption for Everyone - Let's Encrypt
• Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

updating primary certificate
mail services restarted
web updated

So this looks to be fixed now. Thanks so much for the quick reply and the right fix. Now receiving email from the last two days.

Ted

Please don’t run as root next time.

Just use sudo.
You are changing permissions. Why? Anyway.

Good luck!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.