Mailserver behind firewall

Hello

On my clients site i have replaced border router Mikrotik with Sophos XG firewall and make nesessry changes to clients cPanel. I have added additional A record so now i have two A records for same IP address:

  1. museo.muzejvojvodine.org.rs
  2. xg.muzejvojvodine.org.rs

This was done becouse mailserver (Postfix) had hostname the same as A record. New firewall is used for mail protection (beside others) and it act as mailserver himself (built in) and after checking mail it forward mails to existing Postfix. So now mails are accepted by xg.muzejvojvodine.org.rs, checked and forwarded to museo.muzejvojvodine.org.rs
On firewall i have open port 80 temporarily and pointed to Postfix so now i can access to Postfix server nginx on port 80 from outside.
Now when existing mail certificate has expired i was trying to renew cert but when i execute command:
certbot renew
i get error message:

Waiting for verification...
Cleaning up challenges
Attempting to renew cert (museo.muzejvojvodine.org.rs) from /etc/letsencrypt/renewal/museo.muzejvojvodine.org.rs.conf produced an unexpected error: Failed authorization procedure. museo.muzejvojvodine.org.rs (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://museo.muzejvojvodine.org.rs/.well-known/acme-challenge/FApiEpcqWTKFOxcZI25ycIubp0vGUGEJUJXilppkHCs [94.247.203.234]: "\n\n503 Service Unavailable... Service". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/museo.muzejvojvodine.org.rs/fullchain.pem (failure)

IMPORTANT NOTES:

What am i doing wrong?
Thanks in advance

Hi @marxer, welcome to the LE community forum :slight_smile:

It is difficult to say.
You've made many changes recently, so It might be somewhere in there.

From a troubleshooting perspective...
You say:

But the error message shows:

and my own tests fail to connect on port 80:

curl -Iki museo.muzejvojvodine.org.rs
curl: (56) Recv failure: Connection reset by peer

So I would start there.
Because you will need a functional HTTP webserver before you can secure it (via HTTP authentication).

Note that certbot can temporarily set up a build-in webserver just for this purpose. So there strictly isn't a reason to require a webserver such as Apache or nginx.

Agreed, certbot could satisfy part of that functionality.
Having port 80 accessible is another part - that is completely out of certbot control.
The "functional HTTP webserver" is mentioned that way so as to include all the necessary parts.
[but I have been accused of using too few words - and also for having used too many words]

1 Like

OK, first of all, sorry Rudy ... i have blocked port 80 on the end of the day ... it's open now

Additional info: it is ISPconfig instalation with nginx as web server. This server is running for more than a year and everything was OK until firewall implementation. So i guess that server site configuration should be OK. What went wrong is to be found :slight_smile:

1 Like

Ok, now I see Apache answering on port 80.

Please use the staging environment while testing, with:
--dry-run

[once all the tests are passed, then switch to the production environment]

There is good reason why you should not start anything on friday. :slight_smile:

Rudy, it was strange when i have read that you can see Apache instead nginx on port 80! I have doublechecked forward rule and i found that i have selected wrong destination :frowning:
Well, when i fixed forward rule certbot renew command has ended successfuly and after i restarted web and mail services everything was just fine.

So, once again, it was a human error. Thanks Rudy for valuable info that pointed me in right direction

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.