Certs for Mailserver different from Webserver


#1

Hi, i’m new to letsencrypt and have a special setup:

I’m owner of the domain example.com
Under this name i run two Servers:

a mailserver:
mail.example.com IN A 1.1.1.25

a webserver
www.example.com IN A 1.1.1.80

On the Webserver i successfully installed certbot.
I want to use the webserver to request a certificace for the mailserver, using the --webroot-method (or manual --preferred-challenges http).
I want to get just the cert (certonly) an transfer it later e.g. manually to the mailserver.

Poblem is:
the webroot-plugin creates the challege for mail.example.com in the webroot of www.example.com and
the verfication searches the the challenge on mail.example.com, which is running no webserver.

How to request a Certificate on behalf of the mailserver?

Thanks & Bye, Florian
P.S. requesting a cert for www.example.com on the webserver itself works fine.
P.P.S. I don’t want run a Webserver on the mail.example.com (neither for a short time)


#2

Then you will not be able to obtain a cert in the way you’re trying to do it. When you’re using the http-01 validator, the Let’s Encrypt servers attempt to connect to http://$HOSTNAME/.well-known/acme-challenge for each $HOSTNAME you want on the certificate. If $HOSTNAME is not running a webserver, and you’re unable or unwilling to run one for even the short period of time necessary to obtain the cert, you won’t be able to use the http-01 validator (nor will you be able to use the TLS-SNI validator, as it also requires a running webserver on $HOSTNAME). You could run ‘certbot standalone’ on the mail server, which will fire up its own web server for the sole purpose of validating control over the hostname.

If you don’t want to use “certbot standalone” either, your best option is to use the DNS validation. This will require you to create a DNS TXT record with a specified value, which will need to be done each time you issue a certificate. To be practical, this method requires that your DNS host have an API through you can automate changes to those records.


#3

Thanks for the explanation.
(DNS doesn’t work in my case because it has a static config and doesn’t allow dynamic updates.)

Is there no way to use the webserver (located in SAME domain as the mailserver) for the proof of Domain-ownership?

Commercial CAs accept a mail-confirmation to e.g. postmaster@example.com as proof of Domain-ownership (whole Domain) and issue certificates for any host in this domain.

Does letsencrypt provide a similar method?

Bye,
Florian


#4

My understanding is: letsencrypt provides Domain-validated Certificates (DV-Certs) but makes a FQDN-Validation for each host? right?

So i will bite the bullet and buy a true DV-Certificate … Sorry, I’m afraid.

Bye, Florian


#5

Hi @tslbai,

Then the only way is using DNS challenge. It is recommended that your DNS server support some kind of API to allow to automate the process but you can do it manually… the problem is that you should do the same manual procedure every 90 days.

By the way, you said that you don’t want to use a webserver on your mail server… neither for a short time but you don’t need to install/configure a web server, certbot has a standalone function that will act as a webserver just for the time that the cert is validated (usually less than a minute), even you have options to perform actions before the renew (for example, execute a rule to allow connections to port 443 on your firewall…) and when the renew ends you can close again that port on your firewall, reload your mail server so the new certificate is in use, etc.

Right, Let’s Encrypt must validate every of the domains/dub domains.

I don’t know what true DV-Certificate means.

Good luck,
sahsanu


#6

The “problem” is the short time of the validity (90 days) of the certificates:
My servers are located behind a security-gateway containig firewall and router-acl. To open ports for short time in an automated way is difficult; manually it’s too much work.

So i’m searching a webroot-based method where all webservices are located on the webserver - exclusively.

In my opion it is enough proof of domain-ownership, when i can present a challenge on a webserver in the same domain as the mailserver.
I think, a strict fqdn-validation is too much of the good.

bye
Florian


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.