TASK [certificates : Generate certs] ************************************************************************************************************
fatal: [mail.optimcloud.com]: FAILED! => {"changed": true, "cmd": "docker run --rm -v /mnt/docker/nginx/certs:/etc/letsencrypt -p 80:80 -p 443:443 kayvan/letsencrypt certonly --standalone --rsa-key-size 4096 --agree-tos -m postmaster@optimcloud.com -d mail.optimcloud.com -d webmail.optimcloud.com -d postfixadmin.optimcloud.com -d spam.optimcloud.com -d www.optimcloud.com -d optimcloud.com", "delta": "0:00:18.317135", "end": "2017-11-08 07:20:26.150980", "failed": true, "msg": "non-zero return code", "rc": 1, "start": "2017-11-08 07:20:07.833845", "stderr": "Saving debug log to /var/log/letsencrypt/letsencrypt.log\nPlugins selected: Authenticator standalone, Installer None\nSkipped user interaction because Certbot doesn't appear to be running in a terminal. You should probably include --non-interactive or --force-interactive on the command line.\nObtaining a new certificate\nPerforming the following challenges:\ntls-sni-01 challenge for mail.optimcloud.com\ntls-sni-01 challenge for webmail.optimcloud.com\ntls-sni-01 challenge for postfixadmin.optimcloud.com\ntls-sni-01 challenge for spam.optimcloud.com\ntls-sni-01 challenge for www.optimcloud.com\ntls-sni-01 challenge for optimcloud.com\nWaiting for verification...\nCleaning up challenges\nFailed authorization procedure. optimcloud.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout", "stderr_lines": ["Saving debug log to /var/log/letsencrypt/letsencrypt.log", "Plugins selected: Authenticator standalone, Installer None", "Skipped user interaction because Certbot doesn't appear to be running in a terminal. You should probably include --non-interactive or --force-interactive on the command line.", "Obtaining a new certificate", "Performing the following challenges:", "tls-sni-01 challenge for mail.optimcloud.com", "tls-sni-01 challenge for webmail.optimcloud.com", "tls-sni-01 challenge for postfixadmin.optimcloud.com", "tls-sni-01 challenge for spam.optimcloud.com", "tls-sni-01 challenge for www.optimcloud.com", "tls-sni-01 challenge for optimcloud.com", "Waiting for verification...", "Cleaning up challenges", "Failed authorization procedure. optimcloud.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout"], "stdout": "IMPORTANT NOTES:\n - The following errors were reported by the server:\n\n Domain: optimcloud.com\n Type: connection\n Detail: Timeout\n\n To fix these errors, please make sure that your domain name was\n entered correctly and the DNS A/AAAA record(s) for that domain\n contain(s) the right IP address. Additionally, please check that\n your computer has a publicly routable IP address and that no\n firewalls are preventing the server from communicating with the\n client. If you're using the webroot plugin, you should also verify\n that you are serving files from the webroot path you provided.\n - Your account credentials have been saved in your Certbot\n configuration directory at /etc/letsencrypt. You should make a\n secure backup of this folder now. This configuration directory will\n also contain certificates and private keys obtained by Certbot so\n making regular backups of this folder is ideal.", "stdout_lines": ["IMPORTANT NOTES:", " - The following errors were reported by the server:", "", " Domain: optimcloud.com", " Type: connection", " Detail: Timeout", "", " To fix these errors, please make sure that your domain name was", " entered correctly and the DNS A/AAAA record(s) for that domain", " contain(s) the right IP address. Additionally, please check that", " your computer has a publicly routable IP address and that no", " firewalls are preventing the server from communicating with the", " client. If you're using the webroot plugin, you should also verify", " that you are serving files from the webroot path you provided.", " - Your account credentials have been saved in your Certbot", " configuration directory at /etc/letsencrypt. You should make a", " secure backup of this folder now. This configuration directory will", " also contain certificates and private keys obtained by Certbot so", " making regular backups of this folder is ideal."]}
to retry, use: --limit @/home/dingo/docker-mail-server/mailserver.retry

A few questions:

1. Are your DNS records set up correctly?
2. Are port 80 and 443 open?

yes dns is up all resolved fine.... and yes the firewalls off

Maybe a provider level filter? letsencrypt server needs to be able to connect to your host. From the error message, I don't think that's happening.

$ docker run --rm uzyexe/nmap -p 80,443 optimcloud.com

Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-08 16:07 GMT
Nmap scan report for optimcloud.com (148.245.24.5)
Host is up (0.00057s latency).
rDNS record for 148.245.24.5: host-5.mx.g-networks.net
PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

odd your hitting the old ip ...... maybe dns hasnt caught up everywhere yet. the server ip is 148.251.24.5
nslookup optimcloud.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: optimcloud.com
Address: 148.245.24.5

ermmm shit...... my bad...! 148.251.24.5

its fixed now

Yes, that would explain it. Try it again in a bit. Once the DNS propagates, it should be fine. Please close this issue when that happens.

Have a great day!

I can verify that the new IP is not filtered:

$ nmap -p 80,443 148.251.24.5

Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-08 16:30 GMT
Nmap scan report for mail.optimcloud.com (148.251.24.5)
Host is up (0.037s latency).
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.90 seconds

fixed, done.. sorry

No problem. Have a great day.

can i ask, thinking about how to integrate this to the same system, instead of wordpress

https://github.com/DockerIt/opencart-docker/blob/master/docker-compose.yml

This system uses a small nginx as reverse proxy instead of the apache in that opencart docker-compose.yml, so it might be simpler to just use this:

https://hub.docker.com/r/bitnami/opencart/

And instead of the installed wordpress.conf, use something like this in /mnt/docker/nginx/sites-enabled:

server {
  listen 8000;
  server_name www.{{ domain_name }};
  return 301 https://$host$request_uri;
}

server {
  listen 4430 ssl http2;
  server_name www.{{ domain_name }};

  limit_req zone=rainloop burst=10 nodelay;

{% if self_signed_certs %}
  ssl_certificate /certs/cert.pem;
  ssl_certificate_key /certs/privkey.pem;
{% else %}
  ssl_certificate /certs/live/mail.{{ domain_name }}/fullchain.pem;
  ssl_certificate_key /certs/live/mail.{{ domain_name }}/privkey.pem;
{% endif %}

  include /etc/nginx/conf/ssl_params;
  include /etc/nginx/conf/headers_params;

  #add_header Strict-Transport-Security "max-age=<HSTS_MAX_AGE>;<HSTS_SUBDOMAINS><HSTS_PRELOAD>";
  #client_max_body_size <MAX_BODY_SIZE>M;

  #auth_basic "Who's this?";
  #auth_basic_user_file /passwds/<NAME>.htpasswd;

  include /conf.d/robots;

  location / {
    proxy_pass http://opencart:80;
    include /etc/nginx/conf/proxy_params;
  }
}

With this docker-compose snippet:

  # opencart container setup
  opencart:
    image: bitnami/opencart:3
    container_name: opencart
    depends_on:
      - mariadb
    restart: on-failure
    volumes:
      - /mnt/docker/opencart:/bitnami
    environment:
      - MARIADB_PASSWORD={{ db_password }}
      - OPENCART_HOST=www.{{ domain_name }}

All of the above is completely untested! :-)

PRs are welcome.