I want to set up a new mail server on another machine, not the one where sites are hosted, but I can't figure out how to get the certificates on it. Do I have to constantly copy them from the machine, which is webserver? I don't think this is secure, because letsencrypt folder is on the web server machine and owned by root, so maybe what I have to do is constantly archive this folder, send it to the other machine, extract like every day or so, so it always has the latest keys, etc. Any way to issue certificates on the mail server only for the mail subdomain?
Constantly? No. Only when the certs are renewed which is typically every 60 days.
Probably. But, if the existing webserver cert is good I don't see why you would bother rather than just copying the needed files.
You'd have to provide more info for us to be more specific if copying the files is not workable. Such as more answers from the questionaire you were shown
==============================
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
3 Likes
It is workable, but not secure, IMHO. So I just chown the letsencrypt folder to some user, who can copy the data to the other machine with rsync on a regular basis? Another user already has access to the web server top backup some stuff, but does not have root access, so!? What is most secure to do here?
I mean regularly, because what if the certs renew on the original server and the mail server did not copy the renewed ones, yet. Mail fails? Can't have that.
My domain is: too many
I ran this command: sudo certbot certonly --standalone -d mail.domain.tld -i null
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for mail.domain.tld
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: mail.domain.tld
Type: connection
Detail: XXX.XXX.XXX.XXX: Fetching http://mail.domain.tld/.well-known/acme-challenge/hK6TyYzirIFpk-fWANGlo0-VRRid_4IkvFZDjMt3hcM: Connection refused
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): nginx/1.23.2, but on another machine
The operating system my web server runs on is (include version): Ubuntu Linux 20.04.5
My hosting provider, if applicable, is: no hosting provider, collocated servers
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no, just terminals
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.2
Deciding what is secure enough is for you to sort out. You have the best knowledge of your own system and users.
Certs are typically renewed every 60 days and have a life of 90 days. So, you have 30 days to copy a renewed cert to your mail server before it expires.
Debugging standalone is difficult without knowing real domain name. Someone else may want to help but too time-consuming for me today. You could add --debug-challenges -v to your certbot command to test the connection from the public internet. Something is blocking the HTTP request.
4 Likes
Would just copy certs to the other machine, where I will set up mail server then and that would be it. On the systems on both machines root is disabled and has one separate admin user, who can sudo. No other users have sudo privileges, so I guess it will be fine, if i just chown the letsencrypt folder on source machine, so target machine could regularly rsync.
On which server?
3 Likes
No. And the mail server only needs the certificate for the MX name. You can have two certificates. One for the websites, one for the mail services.
The certificate for example.com,www.example.com on the webserver.
And another for mail.example.com on the mail server.
Each certificate with its own certbot instance, completely independent of each other.
3 Likes
Does your firewall allow connections to that IP on port 80?
3 Likes
So let's figure out how to issue it. I have to set up web server on the mail server machine in order to get certificate for mail subdomains!? What if I do not set up certbot on the mail server machine and just copy them from the web server machine? No good?
Of course, it allows.
The --standalone plugin takes care of a temporary webserver.
6 Likes
And port is 80? Weird. It is open. I will try again later.
Yes.
You can use the --debug-challenges and -v options for Certbot to pause Certbot when the internal webserver is running. It'll also show you the URL where the challenge should be available.
5 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.