I am quite new in terms of Let’sEncrypt. Please excuse if my question might sound kind of wooden…
I am using a mail server at some provider which has mail.provider.tld as domain name (both: a- and mx-record).
Now I want to beautify the thing a bit with the goal to have mail.mysite.tld point to their web and mail services. In order to have LetsEncrypt I guess I need to run a redirecting proxy service and have Certbot renew towards that one.
Or could I have DNS point to the provider’s IP address and have Certbot renew without running an own redirecting service, as well? I know, I needed to have my provider’s machines respond to requests on mail.mysite.tld … but this should not be an issue.
I am just kind of confused if it might be possible to avoid running something else than Certbot myself.
Do you mean you wish to proxy the GUI service? Or also proxy the MX? (e.g. create a CNAME from mail.mysite.tld to mail.provider.tld and only use that to let clients login? Or you also want to use that to receive emails, like set the MX to mail.mysite.tld ?)
This is technically possible, but you'll need to contact the provider first since they might not (or refuse) to let you do that.
That's technically possible (again, technically). You could use a service like Cloudflare, given your provider allows such proxy. (But that have no relation to Let's Encrypt and will not use certbot in any way)
The more I think about it: I guess it’s impossible without using self-hosted reverse proxy services.
I needed to hand out every changed SSL certificate to the mail provider to have hin implement it. Every renewal made by Certbot would lead to having the provider get the files from me.
Or ist there a way having -let’s say- at least one-year-certs with Let’sEncrypt? I guess not. :-/