Godaddy Web but want to host email on my own Citadel Server

I have a number of web sites hosted on my own server, but GoDaddy is the domain provider and DNS for my domain points to GoDaddy, not my server. They actually use a wrapper to wrap my site. In other words, in my GoDaddy setup, I have them forward requests to my personal server. When they do this, they have my site wrapped in an iframe generated on their own site.

I have a Citadel email server installed on my server as well.

Recently, GoDaddy re-assigned my email to Microsoft, which I don't want, but for now, I have no choice. I want to send all email requests to my Citadel server, where I need the certificate to be generated. That is, my web site is essentially brochure-ware, but my main goal, right now, is to get my email self-hosted on my Citadel server.

My domain is: javajoemorgan.com

I ran this command: certbot certonly -d javajoemorgan.com -d mail.javajoemorgan.com
(after this, I really didn't know what to do). I selected '1' for apache server.

It produced this output:

How would you like to authenticate with the ACME CA?


1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Requesting a certificate for javajoemorgan.com and mail.javajoemorgan.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: mail.javajoemorgan.com
Type: connection
Detail: 173.201.193.97: Fetching http://mail.javajoemorgan.com/.well-known/acme-challenge/mcBjkG5Ye67hNCeXT5DFLQyLXXocKoOzvO_aF2zHnro: Timeout during connect (likely firewall problem)

Domain: javajoemorgan.com
Type: unauthorized
Detail: 3.33.152.147: Invalid response from http://javajoemorgan.com/.well-known/acme-challenge/cxxO6LSsV8rsnNj3AZ_Wv2uEgI2F8unD-2KJlTPfyhc: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache 2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.0.4

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.29.0

1 Like

Hi @josephmmorgan, and welcome to the LE community forum :slight_smile:

You won't be able to use HTTP authentication to validate FQDNs that don't resolve to the IP of your Citadel server.
Note:

Name:      javajoemorgan.com
Addresses: 15.197.142.173
           3.33.152.147

Name:      pop.us-phx.vox.secureserver.net
Addresses: 72.167.218.138
           97.74.135.10
           97.74.135.143
           173.201.192.129
           173.201.192.158
           173.201.193.97
           173.201.193.240
           68.178.252.117
Aliases:   mail.javajoemorgan.com
           pop.secureserver.net
           pop.vox.secureserver.net

From your Citadel server, please show the output of:
curl -4 ifconfig.co

5 Likes

A likely practical consequence of this (totally correct) observation is that you'll probably need to do one of

  • get more active cooperation and support from GoDaddy in this process
  • exercise more manual control over your domain's DNS records than you currently do, or
  • host your DNS service somewhere else (which you can still likely do even if GoDaddy is your DNS registrar)

It would probably be helpful if you could map out exactly how you would like all of your hosting to work ideally (DNS registrar, DNS hosting, web hosting, e-mail service...). That might help for suggesting options about how best to automate the certificate issuance process.

Right now, it seems like GoDaddy's defaults are most likely making this process somewhat difficult and cumbersome!

5 Likes

So, if I understand, as rg305 is alluding to, I need to repoint my DNS at GoDaddy to my public IP, and open up my firewalls for Citadel's email port. I already have web site ports open (80 & 443).
Once I do that, I should give it another try.

I suspect the question is, Certbot will check the dns of the requested FQDN. How do I get it to use the same cert for both Apache and Citadel, or should I just use separate, one for "javajoemorgan.com" and other for "email.javajoemorgan.com".

How will Certbot know where to put them if separate?

You could even use a new FQDN (like: mx.javajoemorgan.com).
That way you can build your Citadel use before switching to it.

Each system/server should use its' own ACME client and obtain a cert for its' FQDN(s).

2 Likes

That's a good idea.

OK, but, my server is a huge physical server I got dirt cheap because some company dumped it most likely for virtuals. I'm using like 5% of its capability running a number of virtuals, Apache, Citadel and other things. I suspect if I run certbot for, say, the sites running under Apache, and then run it again for the mail under Citadel, would certbot find it if Citadel is not listening on 80?

I didn't see a way to override the port on which certbot checks. Is it hard-coded to 80 only? If so, can I add "-d mail.javajoemorgan.com" (or mx.javajoemorgan.com as suggested) to the request, even if certbot does not find that on port 80 within Apache?

Not likely.
Wherever/whatever listens on port 80, is where you would need to run certbot.
From there you may have to "share" the cert(s) to whatever systems would use them.

Yes, only 80 [for HTTP authentication].

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.