Automate cert renewal from different server using dns challenge

I decided to configure my Dovсot and Postfix to use a certificate from Let’s Encrypt. But the problem is that our site is hosted, and the mail server is located on our local server. In addition, I do not control our site, another person is engaged in this, and I do not want to involve him in this task. For the same reason, I do not want to use the existing certificate of our site.
But I control our domain. Thus, judging by the user guide, I can generate a certificate on our local server using the following command:
certbot -d alkiv.ua --manual --preferred-challenges dns certonly
At some stage, the utility asks to add DNS TXT record to the domain. The question is: will I need to manually correct this text entry each time the certificate is updated? Or does it need to be done only once?

My domain is:
alkiv.ua
I ran this command:
certbot -d alkiv.ua --manual --preferred-challenges dns certonly
It produced this output:
Please deploy a DNS TXT record under the name
_acme-challenge.alkiv.ua with the following value:
some_symbols
My web server is:
I do not have a web server. I want to use a certificate for our mail server.
The operating system is:
Dovecot and Postfix runs on FreeBSD 11.3.
I can login to a root shell on my machine:
Yes.
I’m using a control panel to manage my site:
No.
The version of my client is:
certbot 1.2.0

Hi @yurybx

simple answer: Yes.

New certificate order -> new token -> new TXT entry.

That's the limitation using --manual. It's manual, no automation.

Check, if your dns provider supports an API.

If yes, acme.sh support a lot of different APIs.

1 Like

If you use --manual, yes. If you use a dns plugin for your provider, no. (also check acme.sh)

1 Like

Unfortunately, my DNS provider does not support either API or dynamic DNS. Does this mean that I can not automate the certificate renewal using only DNS? Is it possible to create some tricky A-record that will contain the IP address of my mail server so that it can automatically renew the certificate?

Not natively, but you can use acme-dns GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.