Please fill out the fields below so we can help you better.
My domain is: ourcompany.be
I ran this command: none yet
It produced this output: none yet
My operating system is (include version): Windows 2012R2 / Linux Debian Jessie
My web server is (include version): TBD
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
–
Hi, I’m trying to find out if Let’s Encrypt is suitable for a few different purposes and if so, how I can best set it up.
We have several domain names (ourcompany.be, .nl, .com, .eu, .net, …), most of them are just used to point to our externally-hosted website.
We can add/change DNS records (A, TXT, SRV, CNAME) at the domain provider’s website (only manually, I think)
We have 1 public IP-adres at our main office.
There is a DNS-entry for mail.ourcompany.be that points to our public IP.
I am wondering if I can use Let’s Encrypt certificates for these services:
- mailserver (internally, externally)
- time registration webservice
- field mobility platform services (externally)
In detail:
Our self-hosted mailserver is Kerio and runs on Windows 2012R2. Our employees can use Outlook (MAPI-alike via an Outlook-add-on called Kerio Outlook Connector), webmail or Thunderbird.
The mailserver supports self-signed certificates which we use until now. There are 3 certificates in use: mail.ourcompany.be (public), mailsrv.ourcompany.local and mailsrv (both private)
At the office, Outlook has been configured to connect to mailsrv, except for laptops which use mail.ourcompany.be
When at home, people can connect via their webbrowser to mail.ourcompany.be OR setup a VPN-session first and connect to either of the 3 server names (most use mailsrv as that is the shortest). Either way, in both cases Firefox complains about the certicificate because it is self-signed.
So: can I use LE to get decent certificates for our mailserver - for the public name (probably: yes) and for the private names (most likely: no?). I have read a bit about SAN on the certificates but I assume I cannot combine a public FQDN with a private hostname, or can I?
A possibility could be to use a LE certificate for the public FQDN and stick to self-signed certificates for the 2 internal names. I could teach our users to use the FQDN even when connecting through VPN, but I can’t deny them using the short name. I also need a certificate of some kind for it, otherwise free/busy info in Outlook stops working.
So, I am wondering if a Let’s Encrypt certificate is the way to go.
Additional info:
-
I have no idea which webserver Kerio uses to serve its webmail: as far as I can tell it is not stock Apache or nginx, nor IIS. I doubt I can change the configuration here for verification challenges.
-
both ports 80 and 443 are forwared to the Kerio mailserver (as are the typical mail ports)
We also have a working time registration system which is webbased. That one is a Linux Debian Jessie, running lighttpd.
Employess can use it in 2 different ways.
- there are a few touchscreens in the office and factory running Firefox. Currently, all info is sent over http. Of course Firefox complains about this for the password fields.
- while in the office, employees can connect to http://timesrv. Identical to the touchscreens, Firefox complains about the password fields.
As far as I know, this application cannot generate self-signed certificates. That would at least add to the security, but still lead to complains from Firefox.
Management would like the webinterface to be publicly available for our employees. How we will do that is still undecided: https://somename.ourcompany.be:someport (management’s perefered option) or VPN connection and https://timserv.
Port 80 is already in use by the mailserver, so just a public name without a port won’t even work.
Is there anything LE can help me with it this scenario?
- if we use a public FQDN (probably yes), but even with a different port?
- if we go for VPN + LAN name (then this scenario is similar to the mailserver scenario above)
For our field engineers, another third party will provide an app (Android / iOS) which will connect to a yet-to-be installed webserver, probably based on Microsoft IIS and Biztalk.
Possible scenario’s are:
- publicly available webserver, requires certificates. According to their helpdesk the app will not accept self-signed certificates.
- VPN-connection and http. No certificates needed.
So basically, we have 3 different scenario’s where certificates may or may not be helpful, or even required.
Ideally, for the mailserver this should cover both the public and the private names.
For the other 2 services, since they only need to be available to our own users, I would prefer VPN + a LAN private name if possible; or a VPN + FQDN if necessary.
Thanks for everybody who made it too the end. I apologize for the long text but found it difficult to explain the whole thing, especially because I don’t know much about certificates.
Given these 3 cases, is that something where LE can be useful for us, or am I better off with another solution?
I’ve read a few things about the verification process. I can make changes to the DNS-system at our domain name provider, but only manually.
I can set up a separate server (VM), Linux Debian or Windows 2012R2 and install Apache/nginx if that’s needed or helpful for the registration or renewal process.
Ports 80 and 443 are already taken, though.
Thanks,
Máximo
) I am still grateful for any attempt to help or clarify.