I want to certify a mail server (running dovecot,postfix and MySQL) on my home network with a real domain (lampworx.co.uk) hosted on 123-reg with the MX record pointing to my server. However, it seems that certification applies to web servers only and I don’t currently run one on my server. Do I have to run a web server in order to authenticate the domain via ports 80 or 443?
Domain: oak.lampworx.co.uk
Type: connection
Detail: Error getting validation data
Failed authorization procedure. oak.lampworx.co.uk (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data
@dno - I'm unable to reach the IP your domain name resolves to over port 443. I checked the Let's Encrypt staging server's validation logs and it receives the same error I do:
$ curl https://oak.lampworx.co.uk:443
curl: (7) Failed to connect to oak.lampworx.co.uk port 443: No route to host
$ curl 217.32.145.4:443
curl: (7) Failed to connect to 217.32.145.4 port 443: No route to host
I should say that I have found a tool at https://mxtoolbox.com/ and it says my ip address (217.32.145.4) is blacklisted. I don’t know how this has happened since I only set the mail server up over the last couple of days.
I have had the following response from 123-reg’s mail server:
You’ll notice that the address that is blacklisted is not my ip address, but it belongs to BT.
The ‘delta101.co.uk’ is another domain of mine hosted on 123-reg’s server and that works fine.
If you go to spamhaus they say that BT operate a PBL and won’t send any email from an unauthorised server or a non btinternet.com email address. Could this be the problem?
The ‘lampworx.co.uk’ domain is parked on 123-reg’s servers and I have the MX record in their dns pointed to my server so they cannot block ports. However, BT are are my service providers and I have raised the issue with them. That could take a while as it has been escalated beyond ‘a broadband fault’.
My smtp server points to the following: mySMTP_Server 192.168.1.222
and the following ports are mapped to that ip address:
Protocol Port Range Translate To
TCP 80 80
TCP 443 443
That might impact your ability to send email but it wouldn't explain why both myself and the validation authority are unable to reach your server on port 443.
Just to clarify that I am not running a web server of any description at the moment. Am I correct in thinking that certbot uses one on the fly for authentication purposes?
That’s correct, when you use the --standalone option (as you did), certbot uses its own temporary web server on the fly.
However, it might be worth temporarily installing a real web server on that machine and testing whether you can access it from outside your home network on port 443. If that works, certbot should work too.
Ok, I put my hands up and confess to being a complete twat. I failed to insert the correct ip address into the dns. I was using a gateway ip address instead of a broadband network address. Once I made the change certbot produced the certificate.
I’m still having problems with my ip address being blacklisted, but that’s one for BT.
May I piggy back my inquiry onto this one as the description closely fits my situation.
I’m using the Let’s Encrypt cPanel interface to add certificates. For one domain I host the email but the web site is handled elsewhere. I’ve got the DNS all setup with a specific “mail…” host address and an MX record to reference that. For web stuff the “www…” and unadorned domain name point to the remote host.
The difficulty I have is I cannot de-select the unadorned domain name, i.e. specify just the mail host, so Let’s Encrypt keeps failing certificate installation because it’s trying to verify using http to a host I do not control.
I presume if I was doing it all manually I could install just the mail host certificate and verify that but does anyone know if it is possible to achieve the same when using cPanel?
At the moment this is not possible unless you separate “mail.example.org” away from the “example.org” virtual host. For example, creating a subdomain in cPanel for “mail.example.org” will give it a dedicated virtual host, and then you can issue a certificate for it by itself.
The reason for this is due to a restriction in the way cPanel and Apache work.