I am migrating a single KVM RHEL 6 combined email/web server running a LAMP stack to two KVMs; one for email and one for web hosting. The problem I am encountering is in my attempted use CertBot and Lets Encrypt. As I understand it the process seeks http-served temporary files from domain.com/www.domain.com to validate the system requesting a cert.
As my intention is to have domain.com and www.domain.com on one KVM at IP x and pop.domain.com, smtp.domain.com, and imap.domain.com on the other KVM with IP Y, I must use a different approach because the mail KVM will not host any web files to facilitate the initial validation. I am not sure if this is also required at auto-renewal.
My initial research indicates that plugins exist for certain DNS providers. I use dnsmadeeasy and such a plugin exists, though the means for its acquisition is only vaguely alluded to in the docs.
I need to find a way to establish and automate renewals within the topology described.
Can anyone provide a best-practices pragma for my use case?
However, you don't necessarily need to run a permanent web server. You can use Certbot in standalone mode (certbot certonly --standalone) which will spin up a temporary web server to respond to the challenges during issuance and renewal.
The problem here is that you're using RHEL 6. Here's what the documentation says:
Installing DNS plugins
Certbot's DNS plugins are not available for your OS yet. These plugins can be used to automate obtaining a wildcard certificate from Let's Encrypt's ACMEv2 server. This should change soon but if you don't want to wait, you can use these plugins now by running Certbot in Docker instead of using the instructions on this page.
So I guess you could try Docker if the standalone option doesn't work for you.
This is only a partial answer. As I mentioned, I have no plans to enable Apache on the KVM Mail Server. You mentioned the possibility of “standalone” execution, but I am not familiar with the pragmas and the needed config for auto-renewal (is it just a cron job?).
Just skip the bit about webroot since you're not using a web server.
Yes, a cron job running certbot renew as root, twice a day, preferably not exactly on the hour. That renews all certificates that are due for renewal (i.e. 30 days from expiry), using the same method that was used to obtain them in the first place. So if you got a cert with the standalone method, it will be renewed using that method as well. (Some OS packages set up this cron job for you, but I don't know if the one in EPEL does or not).