Newbie macOS + Server & DNS challenge & multiple domains


#1

I’m a newbie planning to use letsencrypt for my macOS based services. Currently I’m using my own CA and distribute its root to the systems that need it. But I need a wider coverage.

I’ve been looking at letsencrypt and my main problem is that I want to have this fully automated, so I can setup a cron job. Covering the main web site will be easy enough, I suspect, but currently I’m using a wildcard certificate to cover all services. I have no problem using specific certificates for all services that I use, as long as I can rely on autorenewal and the service doesn’t get interrupted.

My first question is: if I use a DNS challenge, does that mean that on each renewal, the challenge in the _acme-challenge TXT record will have to change? If so, that I cannot automate as my DNS is hosted externally (split DNS actually)

My second question is: if I do not use wildcards and I try to get a certificate for (say) www.rna.nl and mail.rna.nl (for postfix) is it enough to have control over the webroot of www.rna.nl or does mail.rna.nl have to have a web server that listens on port 443 as well?


#2

Hi @gctwnl

yes, the value will change. New order -> new challenge -> new challenge token -> new key authorization -> new SHA256 of the key autorization -> stored as value. But if your provider doesn’t support a dns-api, you can create a cname to another dns-service with api-support.

you must show that you control every domain name. So if you use http-01 validation, you need a webserver under mail.rna.nl. But this isn’t really a problem.

Use the existing webserver, add a new A-record mail.rna.nl -> same ip, add a redirect mail.rna.nl -> www.rna.nl, then you can use the existing webserver.


#3

Thank you. I can’t add another A record for mail.rna.nl that points to the same IP as www.rna.nl as both have separate IP addresses. But I can of course add a virtual host for mail.rna.nl with an empty web site and allow port 443 traffic to that.


#4

If your mail.rna.nl has another ip address and an own A-record, you must have a running webserver there.

Without an A-record -->> ip address this website isn’t visible.


#5

Yes, I understand this. mail.rna.nl is currently only listening on mail ports in the outside world, www.rna.nl is listening on 80/443. To be able to create a letsencrypt cert for mail on mail.rna.nl I must make sure mail.rna.nl is running a web server which is exposed to the outside world. I’d rather not, as it is running a webmail environment which I do not want to expose to the outside world.