How to create certificate only for email server, DNS hosted on Cloudflare


#1

Hi for all, please pointing me how to create SSL certificate to use only on mail server (no web server presented).
The DNS is hosted on Cloudflare, the Certbot DNS request returned with “shilded” IP address, not with the real one.
Please help with your advice.

My operating system is (include version): Debian 8 x64

My web server is (include version): NO WEB SERVER

My hosting provider, if applicable, is: VPS

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO PANEL

Thank you.


#2

The easiest way currently is probably to use one of the alternate clients. The Bash and Go clients support obtaining a certificate via cloudfare DNS. The scripting module for certbot isn’t 100% there I don’t think yet.

The DNS request shouldn’t need the IP address if you are using the DNS challenge, so would need more information on your domain name, and the exact command you ran to debug that.


#3

If you’re running a publicly accessible mail server, Cloudflare can’t be proxying it. They don’t support proxying mail. It has to be a gray cloud hostname.

In that case, you can also use certbot in standalone mode with (its default) TLS-SNI validation. Though there’s nothing wrong with using another client with DNS validation.


#4

acme.sh supports cloudflare automatic api integration .

see here:


#5

As do all the other bash and go clients - hence why I referenced them all :wink:


#6

“As do all the other bash and go clients” , are you sure ? Anyway, I don’t care.

I’m not familiar with other clients, but I know acme.sh well.

It’s the easiest way in my mind to help the user to issue certs.

I just want to give the real practicable way to save the user’s time, instead of a useless note such as “other alternate clients”.

Everybody’s time is precious.

I think it’s the most important to solve the user’s problem, saving their time. Rather than which clients bla, bla,bla…

It’s your freedom to reference anything in your reply, so is mine.

I have never blamed anybody referencing/not referencing anything in their relies. I hope you too.

Thanks.


#7

Yes, I’m sure

I’d respond to all your other points, but no point in starting a flame war :slight_smile:


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.