I started to use Let´s encrypt and it is great. But I have one problem that I don´t know how to handle.
I have a mailserver mail1 and a webserver web1 and both use mail.example.org with a certificate. Mailserver handles encrypted mailing (smtp, imap, pop) and webserver handles encrypted webmail (https).
A-Record for mail.example.org points to the mail server but port 80 and 443 are translated to webserver address at firewall router. So I can create certificate for mail.example.org at the webserver but not at the mailserver.
The CERT creation will start on mail1 but the letsencrypt check on port 443 will always point to the webserver.
There are a lot of certificates, so I won´t handle them by hand four or five times a year. I can imagine two solutions but I can´t inspire for both of them. I don´t see a possibility for central renewal of certificates at the versioncontrol- and packaging server. So I will have to create crons on each server for renewal of the domains on this server. Then I could
a) collect all certificates on all servers from the versioncontrol- and packaging server, build a package with certs and distribute them to the servers
b) create a nfs share, mount it as /etc/letsencrypt on each server
Both possibilites require that the services like postfix, apache and dovecot are restarted after deploying new certificate.
Possibilty (b) has the disadvantage that i cannot use letsencrypt-auto in auto mode for all domains but only the domains that are on the server. Perhaps I should only mount /etc/letsencrypt/live.
Does anybody have a different and better approach? Or what would you suggest?