Help with multiple servers using different host services on the same domain

Fellow Certbot/Let’s Encrypt Users,

Please assist–

I am migrating a single KVM RHEL 6 combined email/web server running a LAMP stack to two KVMs; one for email and one for web hosting. The problem I am encountering is in my attempted use CertBot and Lets Encrypt. As I understand it the process seeks http-served temporary files from domain.com/www.domain.com to validate the system requesting a cert.

As my intention is to have domain.com and www.domain.com on one KVM at IP x and pop.domain.com, smtp.domain.com, and imap.domain.com on the other KVM with IP Y, I must use a different approach because the mail KVM will not host any web files to facilitate the initial validation. I am not sure if this is also required at auto-renewal.

My initial research indicates that plugins exist for certain DNS providers. I use dnsmadeeasy and such a plugin exists, though the means for its acquisition is only vaguely alluded to in the docs.

I need to find a way to establish and automate renewals within the topology described.

Can anyone provide a best-practices pragma for my use case?

Thanks in advance,

JP

Yes, it is.

However, you don't necessarily need to run a permanent web server. You can use Certbot in standalone mode (certbot certonly --standalone) which will spin up a temporary web server to respond to the challenges during issuance and renewal.

The problem here is that you're using RHEL 6. Here's what the documentation says:

Installing DNS plugins

Certbot's DNS plugins are not available for your OS yet. These plugins can be used to automate obtaining a wildcard certificate from Let's Encrypt's ACMEv2 server. This should change soon but if you don't want to wait, you can use these plugins now by running Certbot in Docker instead of using the instructions on this page.

So I guess you could try Docker if the standalone option doesn't work for you.

To clarify, it requests files from whatever domain name(s) you're trying to validate. So if you want a certificate for pop.example.com and imap.example.com, it will make HTTP requests to pop.example.com and imap.example.com. It doesn't connect specifically to example.com and www.example.com unless those are the names on the certificate request.

The RHEL 6 instance is being retired and is not part of the Certbot/Letsencrypt deployment.

JP

This is only a partial answer. As I mentioned, I have no plans to enable Apache on the KVM Mail Server. You mentioned the possibility of “standalone” execution, but I am not familiar with the pragmas and the needed config for auto-renewal (is it just a cron job?).

JP

To clarify, the KVM host and the two new KVMs all run up-to-date RHEL 7.

JP

Ah. In that case you should install certbot from EPEL. The instructions are here:

Just skip the bit about webroot since you're not using a web server.

Yes, a cron job running certbot renew as root, twice a day, preferably not exactly on the hour. That renews all certificates that are due for renewal (i.e. 30 days from expiry), using the same method that was used to obtain them in the first place. So if you got a cert with the standalone method, it will be renewed using that method as well. (Some OS packages set up this cron job for you, but I don't know if the one in EPEL does or not).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.