Mail.example.org on different servers


#1

Hi,

I started to use Let´s encrypt and it is great. But I have one problem that I don´t know how to handle.

I have a mailserver mail1 and a webserver web1 and both use mail.example.org with a certificate. Mailserver handles encrypted mailing (smtp, imap, pop) and webserver handles encrypted webmail (https).

A-Record for mail.example.org points to the mail server but port 80 and 443 are translated to webserver address at firewall router. So I can create certificate for mail.example.org at the webserver but not at the mailserver.
The CERT creation will start on mail1 but the letsencrypt check on port 443 will always point to the webserver.

There are a lot of certificates, so I won´t handle them by hand four or five times a year. I can imagine two solutions but I can´t inspire for both of them. I don´t see a possibility for central renewal of certificates at the versioncontrol- and packaging server. So I will have to create crons on each server for renewal of the domains on this server. Then I could
a) collect all certificates on all servers from the versioncontrol- and packaging server, build a package with certs and distribute them to the servers
b) create a nfs share, mount it as /etc/letsencrypt on each server
Both possibilites require that the services like postfix, apache and dovecot are restarted after deploying new certificate.
Possibilty (b) has the disadvantage that i cannot use letsencrypt-auto in auto mode for all domains but only the domains that are on the server. Perhaps I should only mount /etc/letsencrypt/live.

Does anybody have a different and better approach? Or what would you suggest?

Regards
Martin


#2

Hi Martin,

I use a simple bash script ( https://github.com/srvrco/getssl ) that should do the bulk of what you require. You could run it either on the versioncontrol- / packaging server or remotely from a different server.

You can either use the DNS challenge ( if you can remotely add an entry into your DNS via an API somehow) to fulfil the challenge or you can get the script to upload the challenge token to your webserver (or wherever you redirect /.well-known/acme-challenge) requests to. It can then automatically upload (and test) the certs to the relevant servers (assuming you have SSH access with keys )

As a note, you can usually do a reload - you don’t need to do a restart, so there is zero downtime.

The script auto-renews certificates, only informing you if there was an error during renewal (for example if the certificates don’t match, because the reload hasn’t been effective)