Renew from different host using http?

I have a mail server running on host A, this used to also host a webmail service, and everything worked fine - it renewed as it should.

Nine months ago I had to split these services, so mail (SMTP,IMAP) is still on host A but the webservice was moved to host B. The firewall routes the traffic accordingly as these hosts share the same fqdn externally... and there is the problem, when the mail host (A) runs certbot renew it always fails because it tells letsencrypt to look at mail.domain.net which is technically correct but factually a different host (B).

Is there anyway to get certbot to ask for verification at another host name? i.e. ask to look at authentication file at a.domain.net instead of b.domain.net (i.e. webmail)?

I know the simple solution is to either have different names (i.e. mail vs webmail) or use a wildcard thing through DNS - the former is not preferred while the latter is not an option for "auto renewal" since our DNS host has no API or ways to do that ...

If this was done manually once every other year I could live with it, but letsencrypt needs this every 3 months and it's becoming a hassle to work around...

2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

In the configuration for mail.domain.net, you can forward the requests for /.well-known/acme-challenge/ back to host A.

5 Likes

ooh, that's a nice a workaround :slight_smile: was so focused on solving it with certbot that my mind didn't go elsewhere... thanks!

3 Likes

Glad we could help! :slightly_smiling_face:

2 Likes

You'd require a mechanism to securely transfer the private key and certificate to the other server not running certbot on every renewal though. See information about --deploy-hook to run such a deployment script after renewal on the certbot documentation page.

Also, your mailserver with certbot can use the standalone plugin if you don't want to install a whole Apache or nginx webserver for just the http-01 challenge.

3 Likes

wound up splitting the requests in the firewall (looking for the acme token) and running a deploy script copying it over to the other server using scp and rsa keys... webserver just has a simple daily script looking for a new cert and then reloads...

once I stopped looking at ONE app (certbot) to do everything it kinda worked out :smiley:

(as a bonus I now a setup for copying files via script which I'll need later, and I know more about the firewall software as well)

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.