My domain is: corp.networkingtechnology.org
I have a Rocky Linux 8.6 server with two forums.
I installed Certificates for my domain, and both Forums without any problems as well as for the server rocky-86.corp...
Now, I've installed a new server called pegasus.corp....
It is to be a stand-alone mail server.
I'm following the well documented article in linuxbabe.com
I installed Postfix and now I'm trying to install Dovecot, bjut I need to install a Certificate.
I installed apache and setup the firewall as I did with the other server, but now I'm stuck.
Should I install a certificate for the server name pegasus.corp... or what? The question is, not only what, but how?
I've trolled through every article I can find, but so far NOTHING works.
Can someone PLEASE tell me how to get a Certificate? I guess I have to set up something in /etc/httpd/conf.d and possibly something in /var/www/html? I'm utterly lost.
I changed the name of the server to hermes.
Here's my last attempt
Created a file /etc/httpd/conf.d/hermes,corp.networkingtechnology.org.conf
I don't see them open. Looks like a firewall blocking (filtering) ports.
Report for hermes.corp.networkingtechnology.org (79.132.230.61)
rDNS record for 79.132.230.61: 79.132.230.61.static.edpnet.net
PORT STATE SERVICE
80/tcp filtered http
443/tcp filtered https
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
So it may have been the DNS (not waiting long enough, but it's now over 48 hours), but the ports are there and open.
The server that works has a different IP than the one with the blocked ports. Do you have some NAT forwarding or other gear that would block access to the new server?
Yes, As I said in my first post, I have a Linux server with two forums. Both Forums and the server itself have valid LetsEncrypt Certificates.
I set up this new server to use solely as a mail server I lease a /29 subnet .57 is the gateway, 58 is not in use, 59 is my old GW7 mail server, 60 is my Linux server with the 2 x Forums and finally 61 is the new server. 62 is not in use either.
[root@Hermes ~]# apachectl -t -D DUMP_VHOSTS
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
VirtualHost configuration:
*:80 hermes.corp.networkingtechnology.org (/etc/httpd/conf.d/hermes.networkingtechnology.org.conf:1)
*:443 Hermes.corp.networkingtechnology.org (/etc/httpd/conf.d/ssl.conf:40)
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
The 404 failure is from HTTPS.
That means that HTTP was heard and redirected to HTTPS.
It would seem simplest to accept the ACME challenge requests in HTTP.
Requests to hermes.corp.networkingtechnology.org are not reaching the Apache server that you show. Your port 80 VirtualHost is very simple and should return a file or return an http 404 Not Found. Those are the only two things it can do. But, requests to that domain instead get redirected to https.
You should test accessing this server from outside your local network. Use a cell phone with wifi turned off if you must. Maybe place a test file like "test.html" in the /var/www/html DocumentRoot folder and try getting that file.
Example curl using HTTP from my test server. Note the 301 redirect. Also, the Server header says AlmaLinux but your first post said Rocky. Does that help identify what went wrong?
Hmm, I had an Alma Linux server on the same datastore. I supposed I had deleted it from disk, but It hadn't been deleted. Maybe a bug in ESX.
I deleted the server hermes and cleaned up the datastore. I'm going to reinstall and start from scratch before I put anything else on the damn thing.
Give me an hour and I'll get back.
I'm doing a clean install (after cleaning the datastore) Alma 8.6 (Rocky support is better but it does a few quirky things that I don't like)
It's a server with GUI and Basic Apache server. I brought down the other Alma Server with the Forums, it's OFF so that won't be interfering.
I can't believe that LetsEncrypt is written so that only ONE server can get SSL Certificates. There are businesses with hundreds of servers.
Something strange is going on. Let's see what happens when the install is finished. I used the same name and the same IP addres so I don't need to wait for DNS propagation
I don't know what you mean by that. Can you explain more? LE only cares that you control the domain you request a cert for. The main challenge methods are HTTP and DNS. You are using HTTP
Anyway, have you restarted the server? Because I can't reach it and both port 80 and 443 are blocked (filtered).
rDNS record for 79.132.230.61: 79.132.230.61.static.edpnet.net
PORT STATE SERVICE
25/tcp open smtp
80/tcp filtered http
443/tcp filtered https
No, I first need to update, then BACK IT UP before I go further.
Shall I bring the other Alma server back up or leave it off?
IMO - It could only be the other server that was causing the problem, but just MAYBE, I screwed something up because of the datastore.
One other possibility. The hostname of the other server was Alma-86. This one (according to the installation blurb for postfix I'm following) The hostname was hermes.corp.networkingtechnology.org
Do you think THIS could be the problem?
How you manage your system is up to you. When you use the HTTP challenge to request a cert the Let's Encrypt server makes an HTTP request to that domain name (so, to port 80). That server must respond with the token created / configured by your ACME client (certbot in this case). You can redirect the HTTP request elsewhere but that's the original request.
If you control the DNS you could also consider a DNS challenge.