Certbot with Subject Alternative Names and high availability

Hi everyone,

I have two server hosts that provide a mail domain example.com

These two hosts are for SMTP named smtp-0.example.com and smtp-1.example.com.
For IMAP they are named imap-0.example.com and imap-1.example.com respectively.

I have a high availability DNS name that is: smtp/imap.example.com, on this DNS name there are both hosts configured to answer, and both have records in DNS. Now I want to issue four different certificates for IMAP and SMTP that contain the following SANs:

On the first host:
smtp-0.example.com and smtp.example.com
imap-0.example.com and imap.example.com

On the second host:
smtp-1.example.com and smtp.example.com
imap-1.example.com and imap.example.com

Now because both hosts are in the DNS Records for smtp/imap.example.com the certbot works only randomly if the IP of the requesting host is chosen by the following command:

certbot certonly --agree-tos -m postmaster@example.com --cert-name imap-1.example.com -d imap-1.example.com,imap.example.com

Is there a way to tell the letsencrypt server which IP out of the DNS records it should chose to contact so that the right host for the smtp/imap.example.com SANs is being taken? I haven't found someone asking this already...

Nope, there isn't.

If you have a supported DNS provider, you might want to consider using the dns-01 challenge though.

Another option is to set up a "dedicated" host specific for ACME challenges (e.g. acme.example.com) and use one of your hosts specifically for that task. Then, redirect every request for the path /.well-known/acme-challenge/ on all the hosts to that hostname. The issue with that is that you'd need some mechanism to securely transfer the cert/private key from that specific host to the other host. I haven't seen a "one size fits all" script for something like that on e.g. Github, so you'd need to script something yourself. The advantage of this option is that you can combine all the hostnames into a single certificate.


Although this really doesn't go to the point of your question, it doesn't seem at all necessary to put IMAP and SMTP on separate certs--combining them into one would cut the number of certs in half.


Well that's true I could simply call a host mail-0.example.com, and the other mail-1.example.com, thanks for pointing that out!

1 Like

You could do that too, but even if you wanted to preserve the name distinction between imap. and smtp., you could still put all four names (imap., imap-0., smtp., and smtp-0.) on a single cert. Then you're down to two certs--one for each host. But I do think Osiris' solution simplifies it further.


One single "*.example.com" cert would also cover all six names:


I changed the certificates to be one per host and I removed the round robin DNS load balancing. It was a shitty solution.

On the first host:
certbot certonly --agree-tos -m postmaster@example.com --cert-name mail-0.example.com -d smtp-0.example.com,imap-0.example.com

On the second host:
certbot certonly --agree-tos -m postmaster@example.com --cert-name mail-1.example.com -d smtp-1.example.com,imap-1.example.com

Thanks to everybody for giving me this hint!

1 Like

But now the "generic" smtp.example.com and imap.example.com are not covered by the certificates? Is that a problem?


No, it's not a big problem as I'm the only mail user with a catchall on the domain. It would have been nice to have round robin load balancing hostnames for smtp and imap but not a mandatory requirement.

I don't have a real load balancer and I don't intend to set one up.

The solution is now to have both hosts configured in my Mail User Agent (MUA) and when the mail-0 host is gone I activate the second profile in my MUAs that is configured with mail-1 manually.

Thanks to everybody for the support! This thread can be closed.

1 Like

If it's just 2 servers, you could set up the round robin again.

It's recommended to try to renew twice a day and Certbot starts trying to renew 30 days before expiry. So you have 60 renewal attempts before expiry. With round robin with just 2 IP addresses, you'd statistically have 30 attempts (60 / 2) before expiry per server. It would statistically be VERY unlikely the DNS resolver resolves to a single IP address 60 times in a row.

That said, Let's Encrypt uses validation from multiple vantage points: 1 primary in the USA and (currently I believe) 2 secondary at other locations in the world. I'm not sure if those 2 secondary vantage points resolve the hostname on their own, which obviously would change the whole statistics I mentioned above. Maybe @lestaff can elaborate about how the secondary vantage points resolve the hostname? Do they get an IP address to connect to from the primary? Or do they resolve it on their own?

(@mcpherrinm It seems I can't tag @lestaff according to Discourse any longer. At least it says " You cannot mention group @lestaff". Is that something new? Pinging you as you seem to be the most active staff member currently, sorry :wink:)


Okay, good idea. At the moment I run the renewal of my certs only once a week on Saturdays, I'll set the cronjob to be run twice a day, okay. Thanks for pointing that out :slight_smile:


Please show the full command line you run.


Yes, they do DNS fully independently in each vantage


Hm, that makes it difficult to validate the challenge when round robin is in effect.. Statistically chances of getting all vantage points connect to the same server are just 12,5 %.


I didn't implement it yet, just thinking about this. It's not a mandatory requirement, like I said before.

Ok, then what are you thinking about running once a week?


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.