How to get a certificate for mail server

I am running a mail server on Windows platform. I rent a vps on Godaddy. There is no web server on this server. Currently, I install the signed cert manually. I want to get a cert from Let's Encrypt but fail.

What I have tried:

  1. I install certbot.
  2. run certbot certonly
  3. answer all the questions, but fail

email domain : mail.ccpl.cloud umx.ccpl.cloud

Thanks in advance for your help.

1 Like

Welcome to the community @ccpoon
I moved your topic to the Help group to get better visibility.

I see you got a cert about an hour ago. See here

I don't see that you need any help getting certs. Can you explain more about your question? Also, had you posted in the Help topic you would have been asked the questions below.

==========================

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version):

5 Likes

Dear Sir,

I can get a cert successfully in my web server. The domain is ccpl.cloud.

But I fail to get a cert for my mail server. The mail domain is mail.ccpl.cloud or umx.ccpl.cloud

Best Regards.

1 Like

Can you show the answers you gave? Because you can get certs for those mail domains the same way. That is, with a webserver that replies on port 80 (http) for that name. Even if you setup a "fake" webserver just for those names.

If you don't have or want a webserver for your mail domains, you can maybe use certbot standalone or even DNS challenge.

When you said "I answered all the questions, but fail" I don't know what you tried.

Without more info it is difficult to help

6 Likes

Which IP are you running certbot from?

Name:    mail.ccpl.cloud
Address: 148.72.209.87

Name:    umx.ccpl.cloud
Address: 148.72.209.126
5 Likes

Dear Sir,

Here was the case:

C:\Certbot>certbot certonly
Saving debug log to C:\Certbot\log\letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): umx.ccpl.cloud
Requesting a certificate for umx.ccpl.cloud
Input the webroot for umx.ccpl.cloud: (Enter 'c' to cancel): c:\certbot

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: umx.ccpl.cloud
Type: unauthorized
Detail: 148.72.209.126: Invalid response from http://umx.ccpl.cloud/.well-known/acme-challenge/nm4_5adYACAlbQ0c9jM46wzbrMM_NMbefphzlsd4Tbc: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

C:\Certbot>

And attached please find the log file.

Best Regards.

(Attachment letsencrypt.log is missing)

Option 2, the "webroot" expects a webserver, but you mentioned you're not running a webserver on that host. Setting the webroot to a fairly random directory won't help.

You probably want to choose option 1, the "standalone" plugin. This plugin will spin up a temporary webserver on port 80 to handle the challenge.

That said, why is there an Apache listening on that host whereas you said there isn't a webserver running? I'm puzzled now..

6 Likes
curl -Ii 148.72.209.126
HTTP/1.1 302 Found
Date: Sat, 10 Sep 2022 00:27:13 GMT
Server: Apache/2.4.37 (Win32) OpenSSL/1.1.1a PHP/7.3.0
X-Powered-By: PHP/7.3.0
Location: http://148.72.209.126/madmin/
Content-Type: text/html; charset=UTF-8
C:\Certbot>certbot certonly

So, that's:

  • Windows
  • certbot
  • Apache

[not for the faint of heart]

4 Likes

I have tried both of them.

And the log file I sent was from :

148.72.209.126

I have Apache running in the mail server to support for web mail client.

I also try option 1, but fail too.

I can not sent the log file to you as attachment. Your mail server has rejected.

You can't use option #1 [Spin up a temporary webserver (standalone)], if you already have Apache listening on port 80.
[but we are not yet sure if that is the case]

4 Likes

Dear Sir,

     I can get the cert for domain :  umx.ccpl.cloud    but  for mail.ccpl.cloud is not yet success.

I have Apache up for serving multiple web sites. One of them is serving the mail client and DNS domain is mail.ccpl.cloud

I placed the log file below.

2022-09-11 23:49:48,245:DEBUG:certbot._internal.main:certbot version: 1.24.0
2022-09-11 23:49:48,245:DEBUG:certbot._internal.main:Location of certbot entry point: C:\Program Files (x86)\Certbot\bin\certbot.exe
2022-09-11 23:49:48,245:DEBUG:certbot._internal.main:Arguments: ['-v', '--preconfigured-renewal']
2022-09-11 23:49:48,246:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-09-11 23:49:48,395:DEBUG:certbot._internal.log:Root logging level set at 20
2022-09-11 23:49:48,411:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2022-09-11 23:49:48,411:DEBUG:certbot._internal.plugins.selection:Multiple candidate plugins: * standalone
Description: Spin up a temporary webserver
Interfaces: Authenticator, Plugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x04906D00>
Prep: True

  • webroot
    Description: Place files in webroot directory
    Interfaces: Authenticator, Plugin
    Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
    Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x04906B50>
    Prep: True
    2022-09-11 23:49:52,144:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x04906B50> and installer None
    2022-09-11 23:49:52,146:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
    2022-09-11 23:49:52,198:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/727146547', new_authzr_uri=None, terms_of_service=None), de311eae5c8a61eab2efa350f5a2d8cf, Meta(creation_dt=datetime.datetime(2022, 9, 11, 15, 43, 26, tzinfo=), creation_host='mail.ccpl.cloud', register_to_eff='ccpoon@ccpl.cloud'))>
    2022-09-11 23:49:52,232:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
    2022-09-11 23:49:52,232:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
    2022-09-11 23:49:53,079:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 672
    2022-09-11 23:49:53,081:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Date: Sun, 11 Sep 2022 15:49:52 GMT
    Content-Type: application/json
    Content-Length: 672
    Connection: keep-alive
    Cache-Control: public, max-age=0, no-cache
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800

{
"S_12r9-0Xr4": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017-w-v1.3-notice.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2022-09-11 23:49:53,082:DEBUG:certbot.display.ops:No installer, picking names manually
2022-09-11 23:49:59,597:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for mail.ccpl.cloud
2022-09-11 23:49:59,824:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): C:\Certbot\keys\0002_key-certbot.pem
2022-09-11 23:49:59,840:DEBUG:certbot.crypto_util:Creating CSR: C:\Certbot\csr\0002_csr-certbot.pem
2022-09-11 23:49:59,842:DEBUG:acme.client:Requesting fresh nonce
2022-09-11 23:49:59,843:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2022-09-11 23:50:00,124:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-09-11 23:50:00,125:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 11 Sep 2022 15:50:00 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0102Djk-R2l6JMap--lYwIiniM0xrXC5-20w2gBDOITr5Cc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

Best Regards,
cc

We are not making any progress...

4 Likes