Standalone cert for Postfix on CentOS 6


#1

I wish to get a certificate to use with Postfix running on CentOS 6. The server does NOT have any kind of web server installed. I do have a web server, but it is running on a different computer.

My domain is: mail.campercaver.net

I ran this command:
certbot-auto --agree-tos -m bgee@campercaver.net --standalone certonly -d mail.campercaver.net

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None


Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: n
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.campercaver.net
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mail.campercaver.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.campercaver.net/.well-known/acme-challenge/tMubc-SciPLqQlDgv5-I3vzhohMHWVQRhh4AoHYwmGw: "

404 Not Found

Not Found

<p"

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.campercaver.net
    Type: unauthorized
    Detail: Invalid response from
    http://mail.campercaver.net/.well-known/acme-challenge/tMubc-SciPLqQlDgv5-I3vzhohMHWVQRhh4AoHYwmGw:
    "

    404 Not Found

    Not Found

    <p"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version): None. Not applicable, this is for Postfix

The operating system my web server runs on is (include version):
CentOS 6.9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

Both campercaver.net and mail.campercaver.net appear to point to the same Apache web server. Regardless of whether the mail server is on that server or not, you’ll need to issue the certificate from where Apache runs.

certbot certonly -a apache -d mail.campercaver.net

You’ll need to configure Postfix separately to use the certificate that you’ll get as a result. If you want, you can write a script that copies the certificate and restarts Postfix, and invoke it with Certbot by adding to the above:

--deploy-hook /path/to/postfix-deploy.sh

For what it’s worth, I believe Postfix support in Certbot is forthcoming. It has been merged but not yet released, as far as I know.


#3

Hi az -

Yep, it makes sense that both servers point to the same address. They live behind a NAT box, so the public address must be the same. I use port redirection on the router to send ports 80/443 one way and port 25 the other.

I already have a Let’s Encrypt certificate on the web server (which runs CentOS 7). Can I use that same cert on the email server? I suspect not since the public hostnames are not the same.

On CentOS 6 there is no package for certbot. I downloaded certbot-auto instead. Will the postfix support be included in certbot-auto?

Thanks - Bill Gee


#4

You can if you obtain a single certificate covering both names, which may be possible.

Yes, but it’s not recommended to use it yet; instead, most users should currently manually configure Postfix to point at the certificate after issuance.


#5

It’s not impossible to work that out. You could configure the web server to reverse proxy requests for http://mail.campercaver.net/.well-known/acme-challenge/ to the mail server. (Which would work when Certbot’s standalone server is running, and fail with a gateway error the other 99% of the time.)

But when your HTTP-01 configuration is getting that complicated, usually it’s a good time to switch to DNS-01. But that requires setup, and support from your DNS provider and ACME client.


#6

Thanks for your replies. I think I will just be patient for a while, until the Postfix module for certbot is fully ready. My Postfix server is running fine as it is even without TLS enabled. It otherwise sounds very complicated.

Bill Gee


#7

The Certbot Postfix plugin is only an installer - it doesn’t solve the validation dilemma in your scenario :frowning: . You will need to solve the problem of HTTP-01 or DNS-01 validation either way.

The standalone + reverse proxy setup is not that complicated, we can help you achieve it if you’re willing to try.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.