Certficate for email domain mail.mydomain.nl


Oke, I am trying to generate a certificate for my mail.mydomain.nl email (dovecot and postfix) server.

I took some time to find that the command ./letsencrypt certonly … does not work. Use always ./letsencrypt-auto certonly … .

I have access to my webserver as root and used the command:

/opt/letsencrypt# sudo ./letsencrypt-auto certonly --webroot -w /var/www/html/mydomain.nl -d mail.mydomain.nl

The response is:

Checking for new version…
Requesting root privileges to run letsencrypt…
/root/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/html/mydomain.nl -d mail.mydomain.nl
Failed authorization procedure. mail.mydomain.nl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.mydomain.nl/.well-known/acme-challenge/0il40p8ufdlJ08H-6CX5-BJKcXdo7I-V-iUAQma2Fjo [46.xxx.xxx.xxx]: 404


  • The following errors were reported by the server:

    Domain: mail.mydomain.nl
    Type: unauthorized
    Detail: Invalid response from http://mail.mydomain.nl/.well-known
    [46.xxx.xxx.xxx]: 404

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

Which is correct, because the domain mail.mydomain.nl is no webserver, but a mail server. A mail server has a MX record and No DNS A record.

So, now I am lost. The point of getting a certificate only, is to use the certificate elsewhere, isn’t it. Is it posible to get a mail cdrtificate at all? I am a little bit confused.

How can I get a certificate for mail.mydomain.nl?


To obtain a certificate you either need to use a webserver (in which case mail.mydomain.nl needs to respond on port 80 - using your current webserver, or stopping it and using the built in webserver in the letsencrypt client ) or using the DNS challenge ( whereby the challenge token is presented by DNS rather than http. The current official client doesn’t support the DNS challenge yet, but the alternative clients do.


Not quite. You should have mydomain.nl IN MX 10 mail.mydomain.nl, i.e., the MX record for your “main” domain points to the A record of mail.mydomain.nl. And mail.mydomain.nl probably resolves to the same IP as www.mydomain.nl.

The question is: how’s your webserver configured? What kind of VirtualHosts does it have? What happenes when you point to mail.mydomain.nl in your browser? Do you get the same website as www.mydomain.nl? Or some kind of error?


I created a certificate for my (postfix/dovecot) mail server using certonly and webroot authentication. However the same domains I use for mail also direct to my webserver.

Postfix accepts mail from darksteve.tk and mail.darksteve.tk. But port 80 and 443 goes to my landing page (darksteve.tk) and Roundcube (mail.darksteve.tk). Because I have an active webserver for those domains, webroot works.

However if you don’t have such a setup, you’ll have to use DNS or standalone mode to create the certs. But standalone requires you shutdown any running webserver to authenticate and the official client doesn’t yet support DNS!

I’d take a look at NeilPang’s acme.sh client and see if DNS authentication works for you.

Good luck!


So we have two options. Option 1: make a virtual server for mail.mydomain.nl and keep it running for the renewal of the certificate. Or make use of the built in webserver. But what happens with renewal of the certificate in this case?


I am getting a certificate error. mail.mydomain.nl differs with www.mydomain.nl. After accepting the certificate the default website shows.

Can I conclude that the certificate of www.mydomain.nl prevents a ‘handsake’ with mail.mydomain.nl?


You could also make the mail.mydomain.nl virtualhost a reverse proxy to localhost on another port. Although Boulder will always try to connect to port 80 or 443 (depending on the challenge type), you can instruct the client in standalone mode to listen on another port. That way you don’t have to serve a complete page/site on mail.mydomain.nl (although you’d need to generate a virtualhost section) and renewal would work.


You would need to do the same as at creation. Shut down the main server, and use the standalone version for renewal. Hence personally I’d either use the first method ( a virtual sever for mail.mydomain.nl – purely used for the .well-known/acme-challenge/token ) which can then make everything automated ( as can the DNS challenge method).


Can you give an example of the config of a virtual host in Apache2 with a reverse proxy? That makes it possible to comprehend what you are saying.