How to create certification on where is not web server

Hi,

Now, I’m trying to create certification on my mail server. I have gotten certifications on my web server already, but I want to have this on mail server as well. I mean, I want to enabled SSL connection for postfix mail server. However, I have gotten following error when I executed the command like ./certbot-auto certonly --standalone -d mail.corp-associe.com -m admin@corp-associe.com --agree-tos. *There are 2 servers like this.

  1. Web server ->Apache server is running and certbot-auto has been installed and there are certification files.
  2. mail server ->No web server is running, but certbot-auto has been installed. New certification is going to be installed, but I have gotten error.

The error messages are as follows.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.corp-associe.com
Waiting for verification…
Challenge failed for domain mail.corp-associe.com
http-01 challenge for mail.corp-associe.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:


My domain is: corp-associe.com

Well, I need to run web server like apache on this host also? I just want to get commercial certification.

The version of my client is certbot 0.32.0.

Regards,

Hi @bravo

there is a running webserver with a good http status 404 ( https://check-your-website.server-daten.de/?q=mail.corp-associe.com ):

Domainname Http-Status redirect Sec. G
http://mail.corp-associe.com/
203.141.138.215 301 https://mail.corp-associe.com/ 0.547 A
https://mail.corp-associe.com/
203.141.138.215 200 8.017 N
Certificate error: RemoteCertificateNameMismatch
http://mail.corp-associe.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
203.141.138.215 301 https://mail.corp-associe.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.560 A
Visible Content: Moved Permanently The document has moved here .
https://mail.corp-associe.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 7.376 N
Not Found
Certificate error: RemoteCertificateNameMismatch

So try to find the DocumentRoot / webroot of that vHost and use that:

certbot run certonly -a webroot -w yourDocumentRoot -d mail.corp-associe.com

You have a redirect http -> https, your https works. The certificate is wrong, but Letsencrypt ignores this error.

You don’t need two seperate certificates just because it’s two different services, you can make and use one certificate valid for both www.corp-associe.com and mail.corp-associe.com.

But in any case: yes, you need a webserver listening to mail.corp-associe.com, but it seems you already have (the two names seems resolve to the same IP, so it’s likely to be the same server) - alternatively you’ll have to use one of the other challenges, but as it looks like you have a webserver running at mail.corp-associe.com, configuring that seems like the easiest solution.

Hi, grove,
Thank you for your reply. You mean, I should take following steps?

  1. Since there are certifications on Web server (web1.corp-associe.com), I can use .pem files for mail server (mail.corp-associe.com). In this case, just copy them from web server to mail server.

Is this correct? Or I appreciate if you let me know how to do (procedure)

Regards,

You have to create a new certificate with the correct domain name. Later, you can use the idea of @grove to create one certificate with both domain names.

But now there is no certificate with mail. - so you need a new certificate.

No, the certificate you have for the web server is only valid for www.corp-associe.com, you can’t use that on a mail server adressed as mail.corp-associe.com. I suppose you could change DNS for the domain to say that mail is handled by www.corp-associe.com and then make sure it still ends up with the same software, then I guess it would work with the certificate you already have. But it’s likely easier (and more standard) to make a new certificate that include both names.

As an example you can look at the certificate I have on my main domain 3001.dk, that has six names on it (and I’ve considered adding another one when I have to renew it soon), one of which is the name (teresa.3001.dk) that DNS says handles mail for the domain.

Hi, grove and JuergenAuer,

Thank you so much for your quick response. So it would be better to change the DNS record right? Do you have any clues how to change the records? I have added mail server and web sever IN A record separately.

Thank you!
Regards,

No, it would not be better to change DNS. It would be better to configure your webserver/certbot to get a certificate for the name the mailserver currently has.

No, you don’t need to change your dns record.

Host T IP-Address is auth. ∑ Queries ∑ Timeout
mail.corp-associe.com A 203.141.138.215 yes 2 0
AAAA yes
Host T IP-Address is auth. ∑ Queries ∑ Timeout
corp-associe.com A yes 2 0
AAAA yes
www.corp-associe.com A 203.141.138.215 yes 2 0
AAAA yes

Your www and your mail have the same ip address. So you can use the running webserver to create a certificate with mail … or (step later) one certificate with both domain names (www + mail).

Standalone creates an own webserver, so this is an interruption of your running webserver. You can use the webserver direct.

Hi Both.

Oh I see. So I will need to create certification for mail server on my Web server.
The command is the same as I did like certbot-auto certonly --standalone -d mail.corp-associe.com -m admin@corp-associe.com --agree-tos -n ?
After this, I need to copy certification files from web server to mail server correct?
This is because I need to indicate the directory of certification in postfix configuration files.

Regards,

As written: Standalone stops your running webserver. And your first post says, that this command didn’t work. So switch to --webroot as authenticator.

Hello,

I executed the command and now I can see the directory of mail.corp-associe.com. There are .pem files are exist. I think it should be OK now… So the next step will be to copy all files to mail server right? In this case, I will need to copy the files whenever I renew the certifications.

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/mail.corp-associe.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/mail.corp-associe.com/privkey.pem
    Your cert will expire on 2019-06-07. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew all of your certificates, run
    “certbot-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

Regards,

1 Like

Happy to read that you have created a new certificate :wink:

Yep, you have to do that.

But you can create a deploy-hook script, that is executed after creating a new certificate.

Check

Hello,
Thank you so much for your support. I have setup postfix with SSL, but I still get the warning message like “internet security warning” when I start outlook up every time. I installed certification once, but I still get this pop-up window. I can confirm that the certification is provided letsencrypt. I have copied fullchan1.pem and privkey1.pem from “archive” directory.

Regards,

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.