Using Let's Encrypt for eMail Managed Service Provider using cPanel

Please fill out the fields below so we can help you better.

My domain is: svmentp.com

I ran this command:

It produced this output: The Let’s Encrypt HTTP challenge failed: acme error ‘urn:acme:error:unauthorized’: Invalid response from http://svmentp.com/.well-known/acme-challenge/CXAcqjk78RLnUc6Yn4JksDx3EH14dY193Hh58q1Xtfw: " <meta name=“view”

My web server is (include version): Apache/2.4.25 (cPanel) OpenSSL/1.0.1e-fips

The operating system my web server runs on is (include version):CentOS 7.3

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I am trying to install Let’s Encrypt certificate for this domain. This domain is with me only for email hosting and its website is hosted somewhere else.
Can this work ? Or do i need to add my email server’s NS records at this domain’s registrar ?

Thanks
Rohan

Hi Rohan,

So are you running the mail server at 142.4.215.180, but someone else is running the web server at 208.91.199.77?

Do you have the ability to control the DNS for this domain name, ideally via an API?

Hi Schoen,
You are absolutely correct this is precisely what i am trying to achieve and there are server other domain which i am planning to implement this same concept.
I have access to its Domain Control Panel, i tried adding name server for my mail server but what happens is that website goes down and the website starts pointing to the mail server instead.

So, there are three methods that Let’s Encrypt uses to let you prove your control over a domain name in order to get a certificate for it. Two of them require making a connection to your server, which is not helpful when your server is run by someone else. The third requires posting custom TXT records in your DNS zone (not changing the existing records, but adding new additional ones). Can you do this? It would be easiest if you could do it via an API or script rather than manually, because this would then leave open the possibility that the certificate can be renewed automatically in the future.

Do you know by any chance a common API accepted by all hosting providers ? Coz i may not have access every domain that is hosted on this email server.

Hi @rohanb105

ACME is a spec which defines 3 challenge types as above. There is not differentiation between service providers and other parties

If you do not have access to a domain on your server then you should not be able to obtain a certificate for it (as you don’t own the domain)

Note: you can prove ownership of a subdomain (e.g. mail.tld) by using the TLS-SNI or the HTTP-01 challenge

Andrei

The acme.sh client currently has the broadest range of support for DNS provider APIs. The supported ones are listed at

Recently Certbot has also added some of this support, but not quite as much as acme.sh has.

As @ahaw021 mentions, you do have to prove control over the domain name in order to get a certificate. While being the mail server (indicated by MX record) for a domain is an important relationship with that domain, it’s not one that Let’s Encrypt accepts by itself as enough to issue a certificate for the domain. Other certificate authorities might have a different practice because they do e-mail based validation, which Let’s Encrypt never does. For Let’s Encrypt certificates, the only available ways to prove your control are to receive inbound connections on port 80 or 443 (of the machine that the A record for the domain points to, which is also then the web server for that domain), or to make changes to the DNS zone. If you can’t do these things, Let’s Encrypt will not accept that you’ve proven that you’re entitled to a certificate for a particular domain name—even if you do run the mail server for it.

There is a particular thing that people running the mail server could do (involving setting up a web redirect for a particular URL) to explicitly delegate the power to obtain certificates for their domains to you, from Let’s Encrypt’s point of view. So this is an additional option if you have the ability to coordinate with them this way; they wouldn’t have to make your machine the web server or give you the ability to edit the DNS zone, if they’re willing to forward some particular Let’s Encrypt-related URLs from their server to yours via web redirects.

1 Like

Thanks guys my only intention is to secure mail.domain.com or just smtp/pop/imap for which i am planning to ask my users to add A record for mail.domain.com and a txt record for mail server IP. Is this sufficient ? Coz i have no interest in the TLD i just want that every user uses mail.domain.com for his/her email client configurration amd in orde ! to do that this subdomain should be secured.

If you use mail.domain.com for everything and you don’t need the certificate to cover domain.com, then getting an A record for mail.domain.com should be fine. Then you should be able to get the certificate for that domain by yourself without other coordination with the people running the domain.

What about smtp/pop/imap ? Will A record cover this as well

Do i also have to change from ACME challenge to a different one ?coz i tried just mail.tld and it fails with this error ‘urn:acme:error:unauthorized’

The same certificate will work for all of these protocols, but the A record is only used by clients to decide where to connect for POP and IMAP. For SMTP, clients use the MX record to decide where to connect.

ACME is the protocol used to talk to the certificate authority. It defines three different challenges, HTTP-01, TLS-SNI-01, and DNS-01. Which challenge type where you using? Which command did you run?

I am doing everything from Let’s Encrypt cPanel UI. I am not aware which command goes in background.

Aha! Well, that makes sense. Unfortunately, I don’t use cPanel and don’t know how to help you with this.

If nobody else shows up on this forum who can help you further with this, you might want to try over on the cPanel forums:

cPanel is not an ideal tool for this job

In order to make the cPanel plugin work you need to make each mail record a domain record as well

You are much better off using certbot (in my opinion) with the standalone server option.

Another thing to clarify from @schoen

MX record - clients should already be pointing these to your servers

A Records - an additional record so you can pass challenges on the customer behalf for the mail.tld domains.

Andrei

I have also updated the topic as there are a few other service providers using Let’s Encrypt on this forum who may be able to offer some assistance.

Andrei

But I thought that @rohanb105 was now trying to get the certificate only for the mail.domain.com subdomains, which presumably will already have an A record because that is necessary for the clients to connect to them.

Yes i m only trying to get a certificate for mail.tld and smtp/imap/pop. This is my only goal which i want to acheive ysing cPanel