Obtain certificate for backup emal server on third-level domain


#1

Hi friends,
more than a month ago I’ve open a certificates-for-postfix-backup-server where the question was how to get certified for a backup email server located on a different domain than the main server.

Now my situation is:

  1. On primary email server apache/postfix with some domains, and its certificates. the FQDN of this server is “server.sio4.org”.
  2. For the second server I’ve set the FQDN “server2.sio4.org” and added it on the dns table as record “A” and its ip, creating a third-level domain.
  3. I don’t know if I want to install Apache on the new server. Suggest me if appropriate/suitable.

My question is:

Could I use the standalone plugin in this case too?

Many many thanks!

Davide
Italy


#2

If there’s no web listener on that server at all, you could use standalone.

There is also an authentication method using DNS records (that doesn’t require a web server) if you’re able to update your DNS records.


#3

Hi Shoen! I’ve read the Let’s encrypt User Guide but is not so much clear how to use the standalone plugin in this scenario.

Should be fine so?

certbot certonly --standalone --preferred-challenges tls-sni -d domainname.aab -d domainname.aac -d domainname.aaf

Where the domain certificates here are used only for the backup email server.

About this method could you give me more information please?

many thanks!


#4

Yes, that looks OK to me. This assumes that you can receive inbound connections from the Internet on port 443 and that nothing is currently using that port on the server.

We need to improve the documentation here, but for Certbot it’s currently handled by manual:

The bash clients (like acme.sh, getssl, and dehydrated) are famous for having more extensive and convenient support for DNS authentication, including, for example, support for a whole lot of DNS provider APIs in acme.sh.


#5

Ok, I’ve tried to run for the first time certbot with standalone plugin, but some errors occurred:

I’ve tried to run:

certbot certonly --standalone --preferred-challenges tls-sni -d sio4.org -d mail.sio4.org -d smtp.sio4.org

and these are the errors:

Failed authorization procedure. mail.sio4.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 8ddd989f0a2d14e40c87c0312efba18f.5fd5d3275ae065de9b2732db9e1d6fb2.acme.invalid from 91.205.175.213:443. Received 2 certificate(s), first certificate had names “cosmogonia.org, hotelsangiorgioriccione.com, imap.cosmogonia.org, imap.pergraziaricevuta.it, mail.hotelsangiorgioriccione.com, mail.sio4.org, mail.veronalive.it, pergraziaricevuta.it, pop.cosmogonia.org, pop.pergraziaricevuta.it, pop.sio4.org, server.sio4.org, sio4.org, smtp.cosmogonia.org, smtp.hotelsangiorgioriccione.com, smtp.pergraziaricevuta.it, smtp.sio4.org, smtp.veronalive.it, veronalive.it, vini-bulgarini.com, www.cosmogonia.org, www.hotelsangiorgioriccione.com, www.pergraziaricevuta.it, www.sio4.org, www.veronalive.it, www.vini-bulgarini.com”, sio4.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested b09b1ab24b82f67c82494f4a25a547d3.6af64a1293a503a5cd84fe0951e5790c.acme.invalid from 91.205.175.213:443. Received 2 certificate(s), first certificate had names “cosmogonia.org, hotelsangiorgioriccione.com, imap.cosmogonia.org, imap.pergraziaricevuta.it, mail.hotelsangiorgioriccione.com, mail.sio4.org, mail.veronalive.it, pergraziaricevuta.it, pop.cosmogonia.org, pop.pergraziaricevuta.it, pop.sio4.org, server.sio4.org, sio4.org, smtp.cosmogonia.org, smtp.hotelsangiorgioriccione.com, smtp.pergraziaricevuta.it, smtp.sio4.org, smtp.veronalive.it, veronalive.it, vini-bulgarini.com, www.cosmogonia.org, www.hotelsangiorgioriccione.com, www.pergraziaricevuta.it, www.sio4.org, www.veronalive.it, www.vini-bulgarini.com”, smtp.sio4.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested cc02f834808f13dddc9d9fa916a5bb74.ad9f5f0654f52e2617c7be2410618374.acme.invalid from 91.205.175.213:443. Received 2 certificate(s), first certificate had names “cosmogonia.org, hotelsangiorgioriccione.com, imap.cosmogonia.org, imap.pergraziaricevuta.it, mail.hotelsangiorgioriccione.com, mail.sio4.org, mail.veronalive.it, pergraziaricevuta.it, pop.cosmogonia.org, pop.pergraziaricevuta.it, pop.sio4.org, server.sio4.org, sio4.org, smtp.cosmogonia.org, smtp.hotelsangiorgioriccione.com, smtp.pergraziaricevuta.it, smtp.sio4.org, smtp.veronalive.it, veronalive.it, vini-bulgarini.com, www.cosmogonia.org, www.hotelsangiorgioriccione.com, www.pergraziaricevuta.it, www.sio4.org, www.veronalive.it, www.vini-bulgarini.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: mail.sio4.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
8ddd989f0a2d14e40c87c0312efba18f.5fd5d3275ae065de9b2732db9e1d6fb2.acme.invalid
from 91.205.175.213:443. Received 2 certificate(s), first
certificate had names “cosmogonia.org, hotelsangiorgioriccione.com,
imap.cosmogonia.org, imap.pergraziaricevuta.it,
mail.hotelsangiorgioriccione.com, mail.sio4.org,
mail.veronalive.it, pergraziaricevuta.it, pop.cosmogonia.org,
pop.pergraziaricevuta.it, pop.sio4.org, server.sio4.org, sio4.org,
smtp.cosmogonia.org, smtp.hotelsangiorgioriccione.com,
smtp.pergraziaricevuta.it, smtp.sio4.org, smtp.veronalive.it,
veronalive.it, vini-bulgarini.com, www.cosmogonia.org,
www.hotelsangiorgioriccione.com, www.pergraziaricevuta.it,
www.sio4.org, www.veronalive.it, www.vini-bulgarini.com

Domain: sio4.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
b09b1ab24b82f67c82494f4a25a547d3.6af64a1293a503a5cd84fe0951e5790c.acme.invalid
from 91.205.175.213:443. Received 2 certificate(s), first
certificate had names “cosmogonia.org, hotelsangiorgioriccione.com,
imap.cosmogonia.org, imap.pergraziaricevuta.it,
mail.hotelsangiorgioriccione.com, mail.sio4.org,
mail.veronalive.it, pergraziaricevuta.it, pop.cosmogonia.org,
pop.pergraziaricevuta.it, pop.sio4.org, server.sio4.org, sio4.org,
smtp.cosmogonia.org, smtp.hotelsangiorgioriccione.com,
smtp.pergraziaricevuta.it, smtp.sio4.org, smtp.veronalive.it,
veronalive.it, vini-bulgarini.com, www.cosmogonia.org,
www.hotelsangiorgioriccione.com, www.pergraziaricevuta.it,
www.sio4.org, www.veronalive.it, www.vini-bulgarini.com

Domain: smtp.sio4.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
cc02f834808f13dddc9d9fa916a5bb74.ad9f5f0654f52e2617c7be2410618374.acme.invalid
from 91.205.175.213:443. Received 2 certificate(s), first
certificate had names “cosmogonia.org, hotelsangiorgioriccione.com,
imap.cosmogonia.org, imap.pergraziaricevuta.it,
mail.hotelsangiorgioriccione.com, mail.sio4.org,
mail.veronalive.it, pergraziaricevuta.it, pop.cosmogonia.org,
pop.pergraziaricevuta.it, pop.sio4.org, server.sio4.org, sio4.org,
smtp.cosmogonia.org, smtp.hotelsangiorgioriccione.com,
smtp.pergraziaricevuta.it, smtp.sio4.org, smtp.veronalive.it,
veronalive.it, vini-bulgarini.com, www.cosmogonia.org,
www.hotelsangiorgioriccione.com, www.pergraziaricevuta.it,
www.sio4.org, www.veronalive.it, www.vini-bulgarini.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

It’s not clear for me why, could you clarify where I’m wrong?

many thanks


#6

This shows that there is an existing HTTPS server running on mail.sio4.org. Above, you said you thought there wasn’t?

Indeed, the link https://mail.sio4.org/ works in a browser, which definitely shouldn’t be the case if there is no HTTPS server running there…


#7

On server.sio4.org there is a web and mail server.
On server2.sio4.org there isn’t a web server.

server.sio4.org is the first email server
server.2.sio4.org will become the new backup server.

I have to check why https://mail.sio4.org is reachable via the web, maybe it’s not really what I would… :-/

thanks


#8

There are some things I don’t understand.
On the principal server (server.sio4.org) I make use of a single global certificate that includes web addresses and even email services addresses. On the new email backup server (server2.sio4.org), standalone plugin can tap into these?

And possibly these dns how should be modified?

many thanks


#9

You cannot use --apache or --standalone methods on a server that the domain name(s) you’re requesting a certificate for are not currently pointed at. If you’re running Certbot on the backup server but server.sio4.org doesn’t point to the backup server, Certbot won’t be able to use these methods to obtain a certificate for that name.

The main options would be to obtain the certificate on the main server, or use the DNS validation method (which doesn’t require a direct server connection).


#10

I’ve look into the DNS validation method (dns-01 challenge validation), but too many issues, mainly related to the automation process.

I’ve seen this post and I think this could be the best way. Of course, it is also necessary to install a web server on the backup server, but it is not so bad if it is to overcome all renewal issues.

Could you confirm this way?

from @danday74:

location ~ /.well-known/acme-challenge/ {
proxy_pass http://ctrl.mydomain.com:80;
}

using nginx i added this location to ALL server blocks.

You then run lets encrypt on the machine ctrl.mydomain.com (this
machine typically is the controller machine, and is not serving web
stuff - its pure purpose from a web POV is to handle incoming cert
requests - if you don’t know what a controller machine is then read up
on ansible)

To make it work I had to use the webroot plugin for Let’s Encrypt. I could not get standalone mode to work.

my A records look like …

www01.mydomain.com1 points to 1.2.3.4
www02.mydomain.com points to 2.3.4.5
ctrl.mydomain.com points to 3.4.5.6
mydomain.com points to 1,2,3,4 and 2,3,4,5 (multiple A records)
www.mydomain.com is an alias (cname) for mydomain.com

NGINX runs on www01 and www02 on port 80 to load balance requests
(e.g. www01 load balances between www01 and www02, www02 ALSO load
balances between www01 and www02)

the above lets encrypt location block is added to NGINX running on both www01 and www02 for all NGINX server blocks

now run lets encrypt in webroot mode (you will need to standup a web
server on your controller machine) and request a single certificate for www01.mydomain.com1 www02.mydomain.com mydomain.com www.mydomain.com

when you run this command on your controller machine
(ctrl.mydomain.com) it will fireoff a request to each of the 4 domains
in return. Every single request will be proxied back to
ctrl.mydomain.com via NGINX

bosh!

2 tips

1 - to use webroot mode you will need to have a basic web server running on ctrl.domain.com which can serve content from a specified directory

2 - do not use standalone mode, i could not get it to work

3 - this solution sits very nicely if you are using ansible, since
the certs will live on the controller machine and can be copied across
to all slave machines with a single command

many thanks!


#11

This should work fine. Other people achieved a similar result in what I think is an even simpler way by sending 301 redirects to the control machine, because the validator is willing to follow redirects.


#12

I use standalone on my mail server, my mail server does have apache running for Postfix Admin to run but all I do is simply run my cron as follows.

sudo ./certbot-auto renew --pre-hook "service apache2 stop" --post-hook "service apache2 restart" the conf files for my mail server certificate is already set to use standalone as the authenticator.

and then i trigger a secondf shell script to restart all mail services

#!/bin/bash
sudo service postfix restart
sudo service spamassassin restart
sudo service clamav-daemon restart
sudo service amavis restart
sudo service dovecot restart
exit 0

#13

Hi friends,
always for obtaining certificates for email server backup,
I would appreciate if possible some more clarification, about this procedure.

My doubts are:
is it possible to use the main server as “control machine”?
And should add this code for every site/domains config?

NGINX:

[quote]
location ~ /.well-known/acme-challenge/
{ proxy_pass http://ctrl.mydomain.com:80;
} [/quote]

APACHE:

[quote]
ProxyPass “/.well-known/acme-challenge/” “http://letsencrypt.example.org:8081” [/quote]

many many thanks!

Davide


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.