Can I use an existing certificate for mail?


#1

I currently have a cert for a subdomain called demo.example.org, with a vhost in Apache that is correctly configured and working perfectly.

If I run the installer ./letsencrypt-auto --apache it will try to look for a vhost that corresponds with my requested domain, but what I actually want is a certificate to use for a mail server like Dovecot i.e.

I saw someone write that I could use the standalone version to set up certificates without having to rely on Apache or shut it down, but for some reason it won’t work for me.

What I was thinking was this; what if I set up a virtualhost that is mail.example.org and get a certificate for it, but instead of actually using the certificate there I use it for Dovecot? If I want to set up a cronjob to auto renew the certs, I can’t have the installer request any feedback I suppose.

How does that sound? If you think it might work, do you have any suggestions as to how I can have the vhost and not have Apache serve it as normal?

Also; I already set up a set of certificates for my actual website, which is stored in a folder by its domain name. Will issuing a new certificate with the same domain name, even though the subdomain differs, somehow mess with my current certificates?

Thanks for all help and suggestions.


#2

The problem with the standalone plugin is that you’ll have to shutdown the running Apache for the LE client to listen on port 80 or 443, which ofcourse is “a hassle”. You could also make a virtualhost with a reverse proxy to “localhost” on a different port than 80/443 and run the LE client with the appropriateoptions to listen on another port (note: the remote server of Let’s Encrypt always requires a connection to port 80/443, so you’ll have to redirect 80/443 to the port the LE is listening on, e.g., with a reverse proxy or NAT portmap.)

You could also use a virtualhost in Apache and just configure that virtualhost to “block” every request, execept for requests to the /.well-known/acme-challenge/ directory. For example, serve a “HTTP 403 Forbidden” for every other requests… Personally, I don’t see the harm in an extra “empty” virtualhost for this purpose, but it isn’t quite elegant ofcourse.

Also, the guys from LE are busy with implementing the DNS challenge in the client. This challenge doesn’t require access to port 80/443, but uses DNS (d’oh :stuck_out_tongue:) to verify the ownership of the domain in question. Unfortunately, this option isn’t available as of yet, so won’t help you at this point.


#3

Thanks for the help!
Could you give an example of how I would allow requests to the challenge? I just figured out how to set up virtual hosts and make them work with ssl today, so I’m not exactly a pro in this field. :sweat_smile:

Inelegance is okay as long as it’s functional. :slightly_smiling:

Looking forward to the DNS option being fully developed!


#4

I use a LE certificate for mail as we speak.
I generated a certificate using the
./letsencrypt-auto certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is
command from the how-to page, obviously adapted to my situation.
I simply generated a certificate for my mail domain and pointed dovecot and postfix config files to the LE certificates, restarted the associated services and bob’s you’re uncle.
AFAIK you can generate certificates for pretty much any service you want this way.


#5

I tried this, but for some reason it wouldn’t work either, same as --standalone. :confused:

I used the same configuration as you did, but idk. I can try it again and see if it works. Maybe I just derped it up. ^^


#6

The exact command I’d use would be:
./letsencrypt-auto certonly --webroot -w /var/www/public_html -d mail.domain.tld

public_html beeing the directory my webserver defaults to if there is not some sort of Virtual Host configuration telling it to serve something else. (which is true for my mail domain, as it points to my server but has no virtual host configuration associated with it)

The standalone option only works if you take your own webserver offline when you run that command.


#7

Tried it again, realized I needed to add an A-record with “mail”. Ran it again, got this error:
“The client sent an unacceptable anti-replay nonce :: JWS has invalid anti-replay nonce”

I’ve tried looking at the logs, but I can’t find anything I think are descriptions of the error. :cry:


#8

Oh, I needed to add a VirtualHost for mail.example.com of course. Did that and reloaded Apache, and now it worked.

Oh well, the more you know I suppose. :slightly_smiling:

Thanks for helping. ^^


#9

For example:

<VirtualHost *:80>
        Servername le-test-06.example.com
        DocumentRoot /var/www/vhosts/le-test-06.example.com/htdocs/

        <Directory "/var/www/vhosts/le-test-06.example.com/htdocs/">
                Require all denied
        </Directory>
        <Directory "/var/www/vhosts/le-test-06.example.com/htdocs/.well-known/acme-challenge">
                Require all granted
        </Directory>
</VirtualHost>

Did the trick on my server. :slightly_smiling: If you really want to be correct, you could/should put the <Directory> containers between <IfModule mod_authz_core.c> and </IfModule> because the Require directive is part of the mod_authz_core module.

Your location of the webroot might be different ofcourse. Just use the directory from the DocumentRoot directive, once without modification and once with the .well-known/acme-challenge/ part trailing it, in that order (deny, allow)…


#10

Thank you very much. :heart_decoration:


#11

Good to read that you worked it out. Best way to learn things really. :slightly_smiling: