I have a high availability DNS name that is: smtp/imap.example.com, on this DNS name there are both hosts configured to answer, and both have records in DNS. Now I want to issue four different certificates for IMAP and SMTP that contain the following SANs:
Now because both hosts are in the DNS Records for smtp/imap.example.com the certbot works only randomly if the IP of the requesting host is chosen by the following command:
Is there a way to tell the letsencrypt server which IP out of the DNS records it should chose to contact so that the right host for the smtp/imap.example.com SANs is being taken? I haven't found someone asking this already...
If you have a supported DNS provider, you might want to consider using the dns-01 challenge though.
Another option is to set up a "dedicated" host specific for ACME challenges (e.g. acme.example.com) and use one of your hosts specifically for that task. Then, redirect every request for the path /.well-known/acme-challenge/ on all the hosts to that hostname. The issue with that is that you'd need some mechanism to securely transfer the cert/private key from that specific host to the other host. I haven't seen a "one size fits all" script for something like that on e.g. Github, so you'd need to script something yourself. The advantage of this option is that you can combine all the hostnames into a single certificate.
Although this really doesn't go to the point of your question, it doesn't seem at all necessary to put IMAP and SMTP on separate certs--combining them into one would cut the number of certs in half.
You could do that too, but even if you wanted to preserve the name distinction between imap. and smtp., you could still put all four names (imap., imap-0., smtp., and smtp-0.) on a single cert. Then you're down to two certs--one for each host. But I do think Osiris' solution simplifies it further.
No, it's not a big problem as I'm the only mail user with a catchall on the domain. It would have been nice to have round robin load balancing hostnames for smtp and imap but not a mandatory requirement.
I don't have a real load balancer and I don't intend to set one up.
The solution is now to have both hosts configured in my Mail User Agent (MUA) and when the mail-0 host is gone I activate the second profile in my MUAs that is configured with mail-1 manually.
Thanks to everybody for the support! This thread can be closed.
If it's just 2 servers, you could set up the round robin again.
It's recommended to try to renew twice a day and Certbot starts trying to renew 30 days before expiry. So you have 60 renewal attempts before expiry. With round robin with just 2 IP addresses, you'd statistically have 30 attempts (60 / 2) before expiry per server. It would statistically be VERY unlikely the DNS resolver resolves to a single IP address 60 times in a row.
That said, Let's Encrypt uses validation from multiple vantage points: 1 primary in the USA and (currently I believe) 2 secondary at other locations in the world. I'm not sure if those 2 secondary vantage points resolve the hostname on their own, which obviously would change the whole statistics I mentioned above. Maybe @lestaff can elaborate about how the secondary vantage points resolve the hostname? Do they get an IP address to connect to from the primary? Or do they resolve it on their own?
(@mcpherrinm It seems I can't tag @lestaff according to Discourse any longer. At least it says " You cannot mention group @lestaff". Is that something new? Pinging you as you seem to be the most active staff member currently, sorry )
Okay, good idea. At the moment I run the renewal of my certs only once a week on Saturdays, I'll set the cronjob to be run twice a day, okay. Thanks for pointing that out
Hm, that makes it difficult to validate the challenge when round robin is in effect.. Statistically chances of getting all vantage points connect to the same server are just 12,5 %.
)