Certbot-auto is throwing an error when certificate is expanded to include mail server

My domain is:
forinstance.io

I ran this command:
sudo /usr/local/bin/certbot-auto –-expand -d forinstance.io -d www.forinstance.io -d mail.forinstance.io

It produced this output (in log):
certbot.errors.MisconfigurationError: Could not automatically find a matching server block for mail.forinstance.io. Set the server_name directive to use the Nginx installer.

2020-05-03 22:36:50,311:DEBUG:certbot._internal.error_handler:Calling registered functions
2020-05-03 22:36:50,396:DEBUG:certbot._internal.reporter:Reporting to user: Unable to install the certificate
2020-05-03 22:36:50,397:DEBUG:certbot._internal.log:Exiting abnormally:

My web server is (include version):
nginx/1.18.0

The operating system my web server runs on is (include version):
centos-release-8.1-1.1911.0.9.el8.x86_64

My hosting provider, if applicable, is:
Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know):
Yes I'm using Putty.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.3.0

Additional Background:
This directive is from my nginx.conf file.

server_name forinstance.io www.forinstance.io;

I Installed a certificate for forinstance.io and www.forinstance.io by using this command.

$ sudo /usr/local/bin/certbot-auto --nginx

The installer updated my nginx.conf file. I checked my cert on https://www.ssllabs.com/ssltest and received an A.

However a few minutes later when I expanded my certificate to include the mail server it threw an error.

$ sudo /usr/local/bin/certbot-auto –-expand -d forinstance.io -d www.forinstance.io -d mail.forinstance.io

I included the error from my letsencrypt.log above.

Question:
How do I get certbot-auto to expand my certificate to include the mail server without throwing an error?
If expanding the certificate is not the right choice, how do I get a second certificate with certbot-auto that doesn't conflict with the first?

I should add that the mailserver is hosted on Digital Ocean in the same droplet. I am using postfix and dovecot.

You will need to accept HTTP(/HTTPS APLN) connections to that name (or use DNS authentication).
[just as you did with the first two names]

This is a choice you need to make - there is no "wrong" choice.

If the names do not overlap there will be no conflict.
[there is no conflict now - there just is no mail name to connect to via HTTP]

If you will NOT be using HTTP(S) to access the MAIL (via NGINX), then you might NOT want to create a "normal" vhost config for it (just to get a cert).
You can issue a separate command to get a separate cert for the MAIL name.
For that you can be "more restrictive" and can only use the certonly option (so that it doesn't try to modify your config nor create a matching HTTPS vhost config for it.
That said, you will still need to have some sort of vhost config to process the HTTP authentication requests for mail.forinstance.io
But it would be a greatly minimized vhost config.
Like just return 200 "nothing to see here" for all requests except the /.well-known/acme-challenge/ request. Those you can root to a uniquely specified path [like: /some/unique/path/for/mail/auths/only/ ]

That should get you the cert.
Using it with postfix and dovecot is a separate issue - kind of outside this forum, but you might search through for any similar past issues and helpful replies.

In short, it throws an error because you are trying to expand it with a name the doesn't exist in your config.

2 Likes

Thanks rg305.

But how do I do that?

This installs the original cert:

$ sudo /usr/local/bin/certbot-auto --nginx

This expands the cert with the error:

$ sudo /usr/local/bin/certbot-auto –-expand -d forinstance.io -d www.forinstance.io -d mail.forinstance.io

What are the steps for this?
You will need to accept HTTP(/HTTPS APLN) connections to that name (or use DNS authentication).

Did you read my post (completely) ?
[I’ve already tried answering these questions]

How did you create the first two vhosts?
Do you know how to configure NGINX ?

1 Like

Maybe this can shed some light…
Try:
nginx -T | grep server_name

[the problem is NOT about expanding - any issuance will fail for a name the isn’t covered in the config]

So (for a second attempt at explaining/clarifying) the problem is…
That even though you want a cert to be used by POSTFIX and DOVECOT, the default method to issue certs is via HTTP authentication.
For that, you will need an HTTP site to respond to the authentication requests.

1 Like

Sorry I read it but I replied while I was still thinking. :woozy_face:

Ok I get it. A second certificate for the mail server is probably best especially since NGINX will not be involved with mail.

But this part I don't understand. Is there a page that explains this?

For that you can be “more restrictive” and can only use the certonly option (so that it doesn’t try to modify your config nor create a matching HTTPS vhost config for it.
That said, you will still need to have some sort of vhost config to process the HTTP authentication requests for mail.forinstance.io
But it would be a greatly minimized vhost config.
Like just return 200 "nothing to see here" for all requests except the /.well-known/acme-challenge/ request. Those you can root to a uniquely specified path [like: /some/unique/path/for/mail/auths/only/ ]

Thank you so much!

1 Like

$ sudo nginx -T | grep server_name

Returns:

server_name forinstance.io www.forinstance.io;
return 301 https://$server_name$request_uri;
server_name forinstance.io www.forinstance.io;

So if I understand this correctly since the mail server isn't part of NGINX expanding the cert is confusing it. So second cert it is.

There is no page that I know of.
We typically deal with certs for HTTP sites (to make then HTTPS).

You need a cert for SMTPS or IMAPS or POP3S (something other than HTTP/S).
That creates a kind of “one of” scenario.

I tried explaining (in geekish terms) how I would resolve that problem.
I do apologize if that wasn’t plain enough for you to read/understand.

Yes, there is no way to expand nor create a cert for a name that isn't covered:

There is no MAIL there.
And it typically would not need to be there.
But you now need a cert and HTTP is the default method to auth for one...
So, you may need to add a vhost config for the MAIL name [if only for getting the cert].

If you need help configuring the new stripped down vhost config for mail.forinstance.io, you can post here what you have so far and we can review it together.

Thanks rg305,

You need a cert for SMTPS or IMAPS or POP3S (something other than HTTP/S). That creates a kind of “one of” scenario.

Now I wonder if I’m totally off base on what I need. :hushed:

My node.js app uses the mail server on port 587. I don’t normally work on servers so maybe I don’t understand something important.

Don’t I need a cert to make that work properly and securely? I thought mail servers commonly used certs for security. Or am I totally off base?

If certs are commonly used for mail servers isn’t there a set of common steps I can follow to implement that for my setup?

I wonder if maybe I don’t understand a key concept.

Yes. But it really doesn't have to be one that is signed by a CA.
But since they are FREE - what the heck.

Yes, but those steps wouldn't be found on this forum.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.