Hi Friends,
I would like to understand as well as being possible it could be complex to handle different IP address and VPS for web and mail server using possibly certbot that I know a little
I specify that on the mail server I can start a web server instance when requested.
Do you have a specific question? In my opinion “I would like to understand …” is a too generic question. And answers might depend on the situation. For example, would you like to use a single wildcard certificate? Or are there multiple domains in question? All kinds of stuff you don’t mention.
You're right I should clarify!
The situation is the following:
I would like to use two VPS, with two different IP address and two FQDN.
On the first VPS, IP 1.2.3.4 the server web with DNS domain name example.com
On the second VPS IP 1.2.3.5 the server mail with DNS MX domain mail.example.com and DNS SMTP entry smtp.example.com.
And so goes on for each new domain which I will add in the future, example.net, example.org, etc, etc..
I don't know for now, this system is virgin and I will have to build it from scratch.
The only thing is that I would like to keep the web services separate from the mail ones, and here is the need to keep two servers. So I need your suggest for the simpler situation.
Complications are always possible For example, if your second certbot somehow is misconfigured and hits the "max certs per domain" rate limit, your properly working certbot on your first server wouldn't be able to get certificates for that same domain either. Fortunately, a misconfigured client would hit the "max certs per set of hostnames" first, but hey, everything is possible.
As far as I know, it shouldn't really matter if your second certbot has another account.
Accounts are automatically created by certbot. They are essentially key pairs and you possess the private key for the account. Certificates are issued under an account, you can make as many as you want (subject to some rate limits but you are unlikely to hit them). They are also used for caching authorization and revoking certificates.
Yes. It's possible (trivial, even) to have multiple instances of different ACME clients on different machines (real or virtual), with different subdomains under the same domain. The only limitation would be that each of those machines needs to be able to complete the validation challenge on its own--so if you're using HTTP validation (which is probably the most common), they need to either be running a web server already, or be able to have certbot spin one up (which means that port 80 needs to be open).