Mailserver Cert | 1IP | Natting | 443 used


#1

Hi.
I have the following scenario:
There is one IP where serveral Servers are running services which are reached via natting. I have 1 webserver which needs to have all traffic to ports 80 and 443 forwarded. Also I have one mail server. The mail server needs a Cert. Also it needs to be configured for automatic renewal. Since port 443 is used by another forwarding rule, I can not see how I could use this port again. The only solution as far as I can see is to know the IP range of Letsenrypt and use it to only forward these packages to the mail server. Is there any known IP range which wont change? Or is it possible to use another port or does anybody see a better solution for this?

Thank you for help,
Steffi


#2

Hi @steffi

is it possible that you run certbot, so certbot can create a directory in the DocumentRoot of this webserver?

If yes, don’t forward the traffic of /.well-known/acme-challenge, instead let this webserver answer.

Then you have to create a script so the certificate is copied to the mailserver.

Has this webserver an own certificate?


#3

Hi Jürgen.
Thanks for your help.
I have full control of the web server, yes. The mail server will need an own cert for a specific CN.
I got your suggestion but this will give me a additional dependency in my setup which I would like to avoid if possible (web server is needed in order to have mail server configured correctly).


#4

Firstly:
All new certs must be authenticate via HTTP (or DNS, or TLS-ALPN)
And very soon, all renewals will also be done in the same way.
[TLS-SNI is no longer supported for new certs and ending for renewals soon]

That said, there are some choices on how you can handle those HTTP auth requests.
They mainly revolve around how much access the two (or more) systems have to each other.
If they can copy files from one another, then you can do as @JuergenAuer suggests:
Use an ACME client on the server that terminates the port 80 and port 443.

If “copying” files is NOT an option (or by your own choice), then you can proxy the http connections directly to the other server(s) and let them handle their own certs with their own ACME clients.
[assuming you can use the “main” web server as a reverse proxy - most new web servers can do this]


#5

Got you, reverse proxying…
The standalone variant seems to bring a own webserver for renewal process. Is this the acme client you meant and what you would recommend?

If not, would you mind letting me know which acme client especially you are refering to?

Thanks for your help.


#6

The ACME client should work on the system you have.
[primarily it should fit the O/S - like certbot won’t run on Windows]

So…

  1. What is the O/S of the main web server?
  2. What is the web server software and version?
  3. What is the O/S of the mail server?

#7

It’s all about linux :D)
Web server is apache, version should be 2.4.29.

But wait…
I need certs for the web server also. So I guess reverse proxying is not a way to go since both boxes will need the above mentioned directory…

Am I right?


#8

If you understand SNI, then you can see how it can serve many sites (including itself).
So, yes, it is possible.
Each “site” has its’ own configuration.
Those that are external to that system can be proxied.
Those that are internal can be served locally.

'NIX ON!


#9

Got you.
So reverse proxying with standalone version of certbot on mail server is the solution?


#10

Not standalone.
The email server must use:
--webroot -w /the/doc/root/path


#11

You are the man, rg305.
Will remember your nick. You’ll get extra treatment in the forums I am at :D)

Thanks so much. Have a good time.
Cheers
Steffi


#12

Cheers!
Feel free to ask me questions directly if you get stuck…