How can i create Letsencrypt certificate for smtp/imap mail server?
when i tried the below command, faced error
[root@server1 letsencrypt]# certbot certonly -d mail.server.co.uk |
Saving debug log to /var/log/letsencrypt/letsencrypt.log |
|
How would you like to authenticate with the ACME CA? |
|
1: Apache Web Server plugin - Beta (apache) |
2: Spin up a temporary webserver (standalone) |
3: Place files in webroot directory (webroot) |
|
Select the appropriate number [1-3] then [enter] (press âcâ to cancel): 2 |
Plugins selected: Authenticator standalone, Installer None |
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org |
Obtaining a new certificate |
Performing the following challenges: |
http-01 challenge for mail.ibiidi.co.uk |
Cleaning up challenges |
Problem binding to port 80: Could not bind to IPv4 or IPv6. |
Can you please provide more information & remove the duplicated topic?
The problem binding mostly because you have an already running web server... (You could use 1 to avoid the binding issue since the site is already deployed on apache..)
@stevenzhu
i have tried to use option 1 but faced error, the domain that i have tried to issue certificate is stmp domain.
[root@server1 letsencrypt]# certbot certonly -d mail.smtp.co.uk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
Select the appropriate number [1-3] then [enter] (press âcâ to cancel): 1
Plugins selected: Authenticator apache, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.smtp.co.uk
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80
@mnordhoff Is there an Apache virtual host for that hostname?
No, it's SMTP server
Can you add one? It doesnât have to do much of anything â it can return an error or redirect â but it would help Certbot.
I have already a lot of vhosts that listen on 80 port but this may be i use complied apache ..!
[root@server1 letsencrypt]# netstat -tunlp | grep 80
tcp6 0 0 :::80 :::* LISTEN 1443/httpd
[root@server1 letsencrypt]# certbot certonly -d mail.smtp.co.uk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.smtp.co.uk
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
[root@server1 letsencrypt]#
Also i tried to use any webroot and issued command but face the below error
[root@server1 letsencrypt]# certbot certonly --webroot -w /usr/local/apache/htdocs/webinterfacedir/ -d mail.smtp.co.uk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.smtp.co.uk
Using the webroot path /usr/local/apache/htdocs/webinterfacedirl for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mail.ibiidi.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.ibiidi.co.uk/.well-known/acme-challenge/LeWpfk2jQtf5v9NK8zU6jpyra6RgccpuCsHr0XoHDwM: "
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
[root@server1 letsencrypt]#
I know this is kind of confusing, but the --apache option does two different things, one of which is very helpful to you and one of which is very unhelpful to you.
The first thing we call -a apache (the âauthenticatorâ) which uses your webserver to obtain the certificate. This does not require an existing HTTP virtualhost with the associated servername (it just requires a working Apache configuration and for the DNS name to be pointed at this server).
The second thing we call -i apache (the âinstallerâ) which tries to reconfigure your webserver to install the certificate. This does require an existing HTTP virtualhost with the associated servername, which will be used as the basis for the new HTTPS virtualhost.
It seems from the output that the -a apache step worked (as expected) but the -i apache step failed (also as expected).
You would probably have better luck with
certbot certonly -a apache -d mail.smtp.co.uk
which would perform the working part and not perform the failing part.
@schoen,
Actually i have tried the mentioned command but still facing error although Apache running on 80
[root@server1 letsencrypt]# certbot certonly -a apache -d mail.smtp.co.uk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.smtp.co.uk
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
[root@server1 letsencrypt]# netstat -tunlp | grep 80
tcp6 0 0 :::80 :::* LISTEN 1443/httpd
Actually, i have issued the certificate for webmail interface by the below command, can i use the certificate of webmail interface in SMTP configurations?
certbot certonly -a webroot -w /usr/local/apache/htdocs/roundcubemail/ -d webmail.smtp.co.uk
This might mean that you have an unusual Apache configuration in terms of where the files are located on your system, or somehow not having any virtual hosts at all (although I think the first possibility is more likely than the second).
Yes, you'll probably need to configure the SMTP server yourself to refer to the certificate files at their paths in /etc/letsencrypt/live. But the same certificate can certainly be used for both.
