Can you create LE cert on Host A for Host B?


#1

Hello

Is it possible to create LE cert on one system (Host A) and then have the cert reside on another system (Host B)?

Host A has a Public IP address and is running Ubuntu Apache web server http & https

Host B has a Public IP address and is running Ubuntu mail server postfix / dovecot

There is no web server running on Host B and no public facing ports open other than those for mail services.

Thanks for your time.


#2

If you’re using DNS validation, it’s trivial–you can get the cert on any machine, and once obtained, deploy it to the desired host.

Another way to skin this cat would be to script something to open up port 80 on Host B, obtain/renew the cert using certbot or acme.sh in standalone mode, and then close that port again.


#3

Thanks for the fast reply.

Will look into DNS validation right away.

Over the past two days I have been scouring the web for posts on how to configure multiple certs for postfix. What I thought was going to be as simple as 1,2,3 has been more like postfix oh no not me.

Thanks again for the information.


#4

Hi @sneakers,

I’m not really sure if you already got the info but just in case… postfix doesn’t support SNI, that means you can’t use a cert covering domain1.tld, another cert covering domain2.tld, etc. but you can have 1 cert covering several domains (domain1.tld and domain2.tld and… etc.).

Cheers,
sahsanu


#5

Thanks for looking out. Kudos to you.

Found out yesterday that postfix does not support SNI which is one of the reason I am looking at LE for a multi-domain certificate to cover three domains.

Hope to have time today to try this out.


#6

Please note that for a mail server your certificate should cover only the domain names listed in MX records and the domains used for POP3/IMAP/SMTP access. It is not necessary for the certificate to contain all the domains that could follow the @ sign in the e-mails it receives.

Therefore DNS validation should only be necessary because you don’t want to open the ports required to use standalone mode, not just because your mail server is hosted separately from your main domain.


#7

Hello Patches

Correct. At this time would like to keep those ports closed on Host B

Would following be the correct method to create a multi-domain cert for my scenario?

certbot certonly --manual --preferred-challenges=dns -d smtp.domain1.tld -d imap.domain1.tld -d smtp.domain2.tld -d imap.domain2.tld -d smtp.domain3.tld -d imap.domain3.tld

Would I be correct to assume that I would need to do this every 90 days and update the DNS records accordingly?


#8

Yes, that command will work.

Yes, you must follow exactly the same procedure every 90 days (or less to be safe just in case something is not working as expected) but… is there no way to interact with your DNS provider using an API?, it is a pain to do that manually every 60-90 days.


#9

sahsanu I would agree with you.

If the LE validation process is fast then maybe I should consider temporally opening the http port during the process and closing once validated. Just hate fixing whats not broken.

Would be interesting to see an imap/pop/smtp validation method implemented. Maybe even an automated email challenge validation.

Thanks again for your suggestions.


#10

Many administrators open their firewalls in certbot hooks so they’re open for a minimum amount of time:

sudo certbot --standalone --preferred-challenges=http --pre-hook 'ufw allow 80/tcp' --post-hook 'ufw delete allow 80/tcp' -d smtp.domain1.tld,imap.domain1.tld,[..]

This also allows renewals to happen automatically. Of course, this doesn’t work with external firewalls.

There is a validation method for SMTP and IMAP servers undergoing standardization at the IETF:

https://datatracker.ietf.org/doc/draft-ietf-acme-email-tls/

It will be some time time before it is ready enough for Let’s Encrypt to consider implementing though.


#11

Think I’m heading in that direction.

danb35 thanks again for the suggestions.


#12

Patches thanks for the details.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.