Trouble generating a cert for server's FQDN

I am following this tutorial to generate a certificate for SMTP encryption for Postfix, which is setup as a send only SMTP service.

In Step 5 of the tutorial, when I run the following command:

certbot certonly --standalone --rsa-key-size 4096 --agree-tos --preferred-challenges http -d lin03.ts-adyar.org

I get the following response:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for lin03.ts-adyar.org


Could not bind TCP port 80 because it is already in use by another process on
this system (such as a web server). Please stop the program in question and then
try again.


(R)etry/(C)ancel:
Could not bind TCP port 80 because it is already in use by another process on this system (such as > a web server). Please stop the program in question and then try again.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile > >/var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

root@lin03:~#

I am aware the error message is because Apache is running on Port 80 and one of my options is to stop it temporarily and get this certificate issued. But, the automatic cert renewal will fail unless I remember to login before the cert renewal is due and repeat this manual process again.

The other option is to generate the cert manually using the dns challenge, but that cert also will not renew automatically (I read about providing some authentication hook script, which is beyond me).

There's a third option, which is to generate an Apache config file for lin03.ts-adyar.org and then use apache as the plugin for authentication for generating the cert. However, I don't want to add unnecessary config files on the server.

Is there any other way to generate this certificate and have it renew automatically? The hostname (fqdn) in this instance, lin03.ts-adyar.org, has both IPv4 and IPv6 dns records configured.

Thanks in advance.

1 Like

What kind of Apache config file are you talking about?

When using the --apache plug-in it will create the challenge response for you. Is there a different config you describe?

Because something like this should work. The certonly means the --apache plug-in will only make temp changes to your Apache config.

certbot certonly --apache --rsa-key-size 4096 -d lin03.ts-adyar.org

Instead of --apache you could also use --webroot with -w

3 Likes

Why would a send only SMTP service require a certificate?

4 Likes

Thanks, that worked!

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/lin03.ts-adyar.org.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for lin03.ts-adyar.org

Successfully received certificate.

I think I used the --standalone or http flags the previous time I tried with the apache plugin and got an error. And then thought I had to have an Apache config file for lin03.ts-adyar.org and enable it with a2ensite to get LetsEncrypt to work. A lot of muddled thinking on this one, obviously.

Appreciate the assistance.

2 Likes

Well, yes, you need a working HTTP site to use the --apache plug-in but you already had one as shown by below. Glad you got it working.

curl -I http://lin03.ts-adyar.org

HTTP/1.1 200 OK
Server: Apache
Content-Length: 10701
Content-Type: text/html
5 Likes

Why would a send only SMTP service require a certificate?

Good question. You made me think. :slightly_smiling_face:

I came across this interesting article that suggests combining it with DNSSEC to achieve the best results:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.