Mailserver certificates: general concepts


#1

I’ve got a LE-issued certificate on a webserver and I mostly understand the procedure for creating and renewing a certificate on a host where a webserver is running all the time. But I’m not sure how to manage a cert for a dedicated mail server, one that didn’t neccessarily have a webserver.

As I understand it, the web-based challenge assumes that the CA will contact the hostname specified in the certificate request. This seems to indicate that a webserver must be running on the host that needs the cert, at least temporarily. For renewals, I’m not sure if the challenge is issued again. Can you guys confirm or refute these specific assumptions and maybe point to some guidance on how one would manage the certificates on a mail server?

Thanks,

Chuck


#2

Hi @cmusser, the challenge typically does need to be issued again for a renewal, so if you’re using a web-based verification method, you do need to arrange for a web server to be able to answer for that name at the time of renewal.

For mail servers in particular, there is a separate kind of DNS record used to decide where to route e-mail deliveries – the MX record. So although this isn’t relevant to everyone’s situation, it could be possible to have a different A record pointing to a web server that’s used for CA verification purposes (because your MX and A records do not have to point to the same place, and the former is used for mail delivery and the latter for domain verification).

Probably a more convenient option for mail servers generally would be DNS-based verification where you put challenge strings into DNS records (and don’t necessarily have to run any Let’s Encrypt-related software on the server that will ultimately use the certificate). In this case you should ideally have access to an automated way to make changes to your DNS zone.


#3

OK, thanks for clarifying about requests and renewal.

The hamfisted way is to fire up a webserver whenever renewal happens. Not pretty, but might get me up and running.

Configuring an A record different than the MX might actually be workable, but I guess it would be best to either do it temporarily or have another A record provisioned for the mailserver’s address so that “normal” DNS resolution would lead to the actual mailserver (for stuff like SSH).

The DNS-based challenge seems elegant, because it gets cert management off the mail machine, but it relies on the client being able to interact with the DNS provider. I’m pretty sure that the ACME client I’m using only handles the HTTP type of challenge.

Good food for thought. Thanks!

Chuck


#4

With DNS you gain the power of delegation and aliases. You could setup a permanent CNAME for the challenge record to a different machine that you could update in realtime more easily.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.