Letsencrypt certificate for mail server


#1

How can i create Letsencrypt certificate for smtp/imap mail server?
when i tried the below command, faced error

[root@server1 letsencrypt]# certbot certonly -d mail.server.co.uk |
Saving debug log to /var/log/letsencrypt/letsencrypt.log |
|
How would you like to authenticate with the ACME CA? |

                                                                                • |
                                                                                  1: Apache Web Server plugin - Beta (apache) |
                                                                                  2: Spin up a temporary webserver (standalone) |
                                                                                  3: Place files in webroot directory (webroot) |
                                                                                • |
                                                                                  Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 2 |
                                                                                  Plugins selected: Authenticator standalone, Installer None |
                                                                                  Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org |
                                                                                  Obtaining a new certificate |
                                                                                  Performing the following challenges: |
                                                                                  http-01 challenge for mail.ibiidi.co.uk |
                                                                                  Cleaning up challenges |
                                                                                  Problem binding to port 80: Could not bind to IPv4 or IPv6. |

Letsencrypt certificate for mail server
#2

Hi,

Can you please provide more information & remove the duplicated topic?

The problem binding mostly because you have an already running web server… (You could use 1 to avoid the binding issue since the site is already deployed on apache…)

Thank you


#3

@stevenzhu
i have tried to use option 1 but faced error, the domain that i have tried to issue certificate is stmp domain.
[root@server1 letsencrypt]# certbot certonly -d mail.smtp.co.uk
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator apache, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.smtp.co.uk
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80


#4

Is there an Apache virtual host for that hostname?

Can you add one? It doesn’t have to do much of anything – it can return an error or redirect – but it would help Certbot.

Edit: Is there any port 80 virtual host? If not, perhaps add a basic default one?


#5

@mnordhoff
Is there an Apache virtual host for that hostname?

No, it’s SMTP server

Can you add one? It doesn’t have to do much of anything – it can return an error or redirect – but it would help Certbot.
I have already a lot of vhosts that listen on 80 port but this may be i use complied apache …!
[root@server1 letsencrypt]# netstat -tunlp | grep 80
tcp6 0 0 :::80 :::* LISTEN 1443/httpd

[root@server1 letsencrypt]# certbot certonly  -d mail.smtp.co.uk
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.smtp.co.uk
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
[root@server1 letsencrypt]#

Also i tried to use any webroot and issued command but face the below error

[root@server1 letsencrypt]# certbot certonly --webroot -w /usr/local/apache/htdocs/webinterfacedir/ -d mail.smtp.co.uk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.smtp.co.uk
Using the webroot path /usr/local/apache/htdocs/webinterfacedirl for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mail.ibiidi.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.ibiidi.co.uk/.well-known/acme-challenge/LeWpfk2jQtf5v9NK8zU6jpyra6RgccpuCsHr0XoHDwM: "

404 Not Found

Not Found

<p"

IMPORTANT NOTES:


#6

I know this is kind of confusing, but the --apache option does two different things, one of which is very helpful to you and one of which is very unhelpful to you.

The first thing we call -a apache (the “authenticator”) which uses your webserver to obtain the certificate. This does not require an existing HTTP virtualhost with the associated servername (it just requires a working Apache configuration and for the DNS name to be pointed at this server).

The second thing we call -i apache (the “installer”) which tries to reconfigure your webserver to install the certificate. This does require an existing HTTP virtualhost with the associated servername, which will be used as the basis for the new HTTPS virtualhost.

It seems from the output that the -a apache step worked (as expected) but the -i apache step failed (also as expected).

You would probably have better luck with

certbot certonly -a apache -d mail.smtp.co.uk

which would perform the working part and not perform the failing part. :slight_smile:


#7

@schoen,
Actually i have tried the mentioned command but still facing error although Apache running on 80

 [root@server1 letsencrypt]# certbot certonly -a apache -d mail.smtp.co.uk
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator apache, Installer None
    Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for mail.smtp.co.uk
    Cleaning up challenges
    Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
    [root@server1 letsencrypt]# netstat -tunlp | grep 80
    tcp6       0      0 :::80                   :::*                    LISTEN      1443/httpd

Actually, i have issued the certificate for webmail interface by the below command, can i use the certificate of webmail interface in SMTP configurations?

certbot certonly -a webroot -w /usr/local/apache/htdocs/roundcubemail/ -d webmail.smtp.co.uk


#8

This might mean that you have an unusual Apache configuration in terms of where the files are located on your system, or somehow not having any virtual hosts at all (although I think the first possibility is more likely than the second).

Yes, you’ll probably need to configure the SMTP server yourself to refer to the certificate files at their paths in /etc/letsencrypt/live. But the same certificate can certainly be used for both.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.