Now, I’m trying to create certification on my mail server. I have gotten certifications on my web server already, but I want to have this on mail server as well. I mean, I want to enabled SSL connection for postfix mail server. However, I have gotten following error when I executed the command like ./certbot-auto certonly --standalone -d mail.corp-associe.com -m admin@corp-associe.com --agree-tos. *There are 2 servers like this.
Web server ->Apache server is running and certbot-auto has been installed and there are certification files.
mail server ->No web server is running, but certbot-auto has been installed. New certification is going to be installed, but I have gotten error.
The error messages are as follows.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.corp-associe.com
Waiting for verification…
Challenge failed for domain mail.corp-associe.com
http-01 challenge for mail.corp-associe.com
Cleaning up challenges
Some challenges have failed.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
You don’t need two seperate certificates just because it’s two different services, you can make and use one certificate valid for both www.corp-associe.com and mail.corp-associe.com.
But in any case: yes, you need a webserver listening to mail.corp-associe.com, but it seems you already have (the two names seems resolve to the same IP, so it’s likely to be the same server) - alternatively you’ll have to use one of the other challenges, but as it looks like you have a webserver running at mail.corp-associe.com, configuring that seems like the easiest solution.
Hi, grove,
Thank you for your reply. You mean, I should take following steps?
Since there are certifications on Web server (web1.corp-associe.com), I can use .pem files for mail server (mail.corp-associe.com). In this case, just copy them from web server to mail server.
Is this correct? Or I appreciate if you let me know how to do (procedure)
You have to create a new certificate with the correct domain name. Later, you can use the idea of @grove to create one certificate with both domain names.
But now there is no certificate with mail. - so you need a new certificate.
No, the certificate you have for the web server is only valid for www.corp-associe.com, you can’t use that on a mail server adressed as mail.corp-associe.com. I suppose you could change DNS for the domain to say that mail is handled by www.corp-associe.com and then make sure it still ends up with the same software, then I guess it would work with the certificate you already have. But it’s likely easier (and more standard) to make a new certificate that include both names.
As an example you can look at the certificate I have on my main domain 3001.dk, that has six names on it (and I’ve considered adding another one when I have to renew it soon), one of which is the name (teresa.3001.dk) that DNS says handles mail for the domain.
Thank you so much for your quick response. So it would be better to change the DNS record right? Do you have any clues how to change the records? I have added mail server and web sever IN A record separately.
No, it would not be better to change DNS. It would be better to configure your webserver/certbot to get a certificate for the name the mailserver currently has.
Your www and your mail have the same ip address. So you can use the running webserver to create a certificate with mail ... or (step later) one certificate with both domain names (www + mail).
Standalone creates an own webserver, so this is an interruption of your running webserver. You can use the webserver direct.
Oh I see. So I will need to create certification for mail server on my Web server.
The command is the same as I did like certbot-auto certonly --standalone -d mail.corp-associe.com -m admin@corp-associe.com --agree-tos -n ?
After this, I need to copy certification files from web server to mail server correct?
This is because I need to indicate the directory of certification in postfix configuration files.
I executed the command and now I can see the directory of mail.corp-associe.com. There are .pem files are exist. I think it should be OK now… So the next step will be to copy all files to mail server right? In this case, I will need to copy the files whenever I renew the certifications.
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mail.corp-associe.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mail.corp-associe.com/privkey.pem
Your cert will expire on 2019-06-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew all of your certificates, run
“certbot-auto renew”
If you like Certbot, please consider supporting our work by:
Hello,
Thank you so much for your support. I have setup postfix with SSL, but I still get the warning message like “internet security warning” when I start outlook up every time. I installed certification once, but I still get this pop-up window. I can confirm that the certification is provided letsencrypt. I have copied fullchan1.pem and privkey1.pem from “archive” directory.
