debian 12 question - mail delivery issue!

On a nice shiny deb12 install I'm getting some folks complaining that email seems to be coming from localhost (and not the domain).
I've stumbled around a bit but dont see anything amiss. hostname and /etc/mailname and /etc/hostname are correrct.
I turned off ipv6. any other reason mail should appear to come from localhost? the testing site says 'No A record for localhost' and not sure I should ever have an A record for localhost!

one test email gave me these header:


from hardmoney-financial.com (localhost [127.0.0.1]) (Authenticated sender: [email protected]) by nslin.cdbsystems.com (Postfix) with ESMTPA id 4644341147; Thu, 18 Jan 2024 18:27:36 +0000 (UTC)

why does it seem to think they come from localhost?

 

yes I sent the test email from roundcube... but its complaining about seeming to come from localhost!

 

on another issue (dont want to scare anyone with YAFLEI subject line!
(Yet Another Funny Lets Encrypt Issue) on my server where various other sites have LE certs just fine (using acme)
one site when I check the LE boxes it thinks then comes back with boxes empty.
From /var/log/ispconfig/acme.log:

Code:

[Fri Jan 19 11:40:08 EST 2024] response='{"identifier":{"type":"dns","value":"www.1st-street.com"},"status":"invalid","expires":"2024-01-26T16:40:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"204.111.190.136: Invalid response from http://www.1st-street.com/.well-known/acme-challenge/CNv1xnVHYh1uOQFR81A2Vubb5jfPvS8em34HBwBur1g: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/305906697306/GkLGaA","token":"CNv1xnVHYh1uOQFR81A2Vubb5jfPvS8em34HBwBur1g","validationRecord":[{"url":"http://www.1st-street.com/.well-known/acme-challenge/CNv1xnVHYh1uOQFR81A2Vubb5jfPvS8em34HBwBur1g","hostname":"www.1st-street.com","port":"80","addressesResolved":["204.111.190.136"],"addressUsed":"204.111.190.136"}],"validated":"2024-01-19T16:40:06Z"}]}'
[Fri Jan 19 11:40:08 EST 2024] original='{"identifier":{"type":"dns","value":"www.1st-street.com"},"status":"invalid","expires":"2024-01-26T16:40:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"204.111.190.136: Invalid response from http://www.1st-street.com/.well-known/acme-challenge/CNv1xnVHYh1uOQFR81A2Vubb5jfPvS8em34HBwBur1g: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/305906697306/GkLGaA","token":"CNv1xnVHYh1uOQFR81A2Vubb5jfPvS8em34HBwBur1g","validationRecord":[{"url":"http://www.1st-street.com/.well-known/acme-challenge/CNv1xnVHYh1uOQFR81A2Vubb5jfPvS8em34HBwBur1g","hostname":"www.1st-street.com","port":"80","addressesResolved":["204.111.190.136"],"addressUsed":"204.111.190.136"}],"validated":"2024-01-19T16:40:06Z"}]}'
[Fri Jan 19 11:40:08 EST 2024] response='{"identifier":{"type":"dns","value":"www.1st-street.com"},"status":"invalid","expires":"2024-01-26T16:40:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"204.111.190.136: Invalid response from http://www.1st-street.com/.well-known/acme-challenge/CNv1xnVHYh1uOQFR81A2Vubb5jfPvS8em34HBwBur1g: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/305906697306/GkLGaA","token":"CNv1xnVHYh1uOQFR81A2Vubb5jfPvS8em34HBwBur1g","validationRecord":[{"url":"http://www.1st-street.com/.well-known/acme-challenge/CNv1xnVHYh1uOQFR81A2Vubb5jfPvS8em34HBwBur1g","hostname":"www.1st-street.com","port":"80","addressesResolved":["204.111.190.136"],"addressUsed":"204.111.190.136"}],"validated":"2024-01-19T16:40:06Z"}]}'
[Fri Jan 19 11:40:08 EST 2024] status='invalid
invalid'
[Fri Jan 19 11:40:08 EST 2024] error='"error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"204.111.190.136: Invalid response from http://www.1st-street.com/.well-known/acme-challenge/CNv1xnVHYh1uOQFR81A2Vubb5jfPvS8em34HBwBur1g: 404","status": 403'
[Fri Jan 19 11:40:08 EST 2024] errordetail='204.111.190.136: Invalid response from http://www.1st-street.com/.well-known/acme-challenge/CNv1xnVHYh1uOQFR81A2Vubb5jfPvS8em34HBwBur1g: 404'
[Fri Jan 19 11:40:08 EST 2024] Invalid status, www.1st-street.com:Verify error detail:204.111.190.136: Invalid response from http://www.1st-street.com/.well-known/acme-challenge/CNv1xnVHYh1uOQFR81A2Vubb5jfPvS8em34HBwBur1g: 404
[Fri Jan 19 11:40:08 EST 2024] pid
[Fri Jan 19 11:40:08 EST 2024] No need to restore nginx, skip.
[Fri Jan 19 11:40:08 EST 2024] _clearupdns
[Fri Jan 19 11:40:08 EST 2024] dns_entries
[Fri Jan 19 11:40:08 EST 2024] skip dns.
[Fri Jan 19 11:40:08 EST 2024] _on_issue_err
[Fri Jan 19 11:40:08 EST 2024] Please check log file for more details: /var/log/ispconfig/acme.log
[Fri Jan 19 11:40:08 EST 2024] _chk_vlist='1st-street.com#verified_ok##http-01#/usr/local/ispconfig/interface/acme#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304148208416,www.1st-street.com#CNv1xnVHYh1uOQFR81A2Vubb5jfPvS8em34HBwBur1g.L0EZ_BEGiThZ5sCO2MvKFDjP5nE_37ML9nNb_x9LX2k#https://acme-v02.api.letsencrypt.org/acme/chall-v3/305906697306/GkLGaA#http-01#/usr/local/ispconfig/interface/acme#https://acme-v02.api.letsencrypt.org/acme/authz-v3/305906697306,'
[Fri Jan 19 11:40:08 EST 2024] start to deactivate authz
[Fri Jan 19 11:40:08 EST 2024] Trigger domain validation.
[Fri Jan 19 11:40:08 EST 2024] _t_url
[Fri Jan 19 11:40:08 EST 2024] _t_key_authz='verified_ok'

log ends with:
[Fri Jan 19 11:40:09 EST 2024] original='{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}'
[Fri Jan 19 11:40:09 EST 2024] response='{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400

now there is no .well-known folder under 1st-street.com but permissions are exactly the same as another site that has its LE cert issued just fine on same server!
both 1st-street.com and www.1st-street.com are up and running and accessible. and as I said, other sites on this same server have ispconfig issuing certs just fine! what am I missing?
thanks as always.

one more little question - by default we create mail.1st-street.com records when we create the site zone. (and same with all the other mail.xxx.com dns entries). but NONE of them will ever have ssl certs for mail agents who care about such things! the cert will always be the host site cert we linked to postfix. any thought to 'automatically' adding mail.1st-street (and all the others) to the postfix cert?
I know I've been telling folks to use the hostname for their smtp/imap servernames. but then why bother with mail.mysite.com?

 

ok I understand so I need to have mail generate the test email then so it comes from the proper server

 

indeed touching the test.txt file and clicking the url leads to 404 error.
however no custom directive under options and no .htaccess (only things there are the default 'welcome' page).
but clicking nechtanmarketing.com/.well- etc works just fine... so.... logically... LE used to be able to access server but not now.
but how do we explain one of the other sites being able to access ./wellknown but not the troubled site?
the global alias obviously works (as nechtanmarketing bring up the 'hi' file at acme-challenge )
yes I did ping both sites and they point to the same server! (not like silly me from before where things pointed to the wrong ports).
did check firewall and rules seem to be ok. again one site GETS le cert.
just for yucks, I unchecked boxes on nechtan and waited then rechecked them and it issued the cert just fine!
clearly the global alias works on one site but not another on the same server..... scratching head!
I just added a new domain to this server. www etc pull up the default page as desired.
well-known test file leads to 404 error on this site as well!!!
where is that global alias defined? and how could it WORK on one site but not another?

now grepping well-known in /etc/httpd/conf we find:
[root@ns1 conf]# grep -r "well-known" .
./httpd.conf:Alias /.well-known/acme-challenge /home/.acme
./httpd.conf:Alias /.well-known/acme-challenge /home/.acme
./sites-available/acme.conf:Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
./sites-available/acme.conf:<Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
./sites-available/knightkingdelivery.com.vhost: RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
./sites-available/knightkingdelivery.com.vhost: RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/

this look good? yes, httpd.conf does have the block duplicated!

now in my wish to further screw things up I copied the block form acme.conf:

Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
<Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
Require all granted
<IfModule mpm_itk_module>
AssignUserId ispconfig ispconfig
</IfModule>
</Directory>

into httpd.conf and systemctl restart httpd.

surely this will apply the global alias to everyone! but 1st-street STILL does not pull up test.txt

 

yes it HAS to be a dns issue. and this is a sute customer pointed at me. so I have to look at his godaddy!
thanks till :

 

indeed! he had messed up dns entries. issue sorted!