My web server is (include version): nginx 1.10.3-1
The operating system my web server runs on is (include version): debian stretch kernel 4.3
My hosting provider, if applicable, is: myself (a google cloud computer)
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): none
I’m attempting to create an ssl certificate for use on my mailserver which is at mail.felinesoulsystems.com. I’d like to have one certificate for postfix and courier (i’m aware that i need to cat the keys together for courier). Looking at this Configure courier-imap that’s great info, but it doesn’t tell me how to create the certificates using certbot.
How to i tell certbot to create a certificate for mail.felinesoulsystems.com that is not directly related to a webserver and that webserver files don’t need to be altered. I just want to create certificates in /etc/letsencrypt/live/mail.felinesoulsystems.com?
With some help on irc and some reading on my own, i came up with
sudo certbot certonly --standalone -d mail.felinesoulsystems.com --pre-hook “service nginx stop” --post-hook “service nginx start”
That worked like a charm. Hopefully, i won’t get angry calls from clients in the morning for my web server being down for 2 seconds.
but you can use your webserver to create the certificate. If the A - record points to www.felinesoulsystems.com and if you know the webroot, then you may use this with certonly direct.
With --standalone, the hooks would be necessary if the existing nginx server is already listening on port 80.
The trouble is that the form --nginx (rather than nginx) will only work if you already have an nginx server block referring to mail.felinesoulsystems.com, which might not be the case if you don't serve web pages related to that name but only use an IMAP server to provide e-mail service.
However, I think your suggestion would work well as the variant
sudo certbot certonly -a nginx -d mail.felinesoulsystems.com
which should be able to use the existing nginx server to obtain the certificate as long as the DNS record is pointed at the same machine, regardless of whether there is an existing related nginx server block.
It's also possible that there's no specific server block related to the mail name and that there's no webroot in the default server (although maybe there is one!). For example, the default server might potentially just serve an error, a blanket redirect, or proxy_pass to something else.