Validating another IP address


#1

I run an SMTP server for which I would like to generate a certificate.
Problem : smtp.mydomain.com only answers on tcp 25 and tcp 587, and there is no way I’m going to open an HTTP server on that machine, even for a temporary domain validation.

Is there any way I could tell certbot to validate my smtp.mydomain.com FQDN on tcp 80 or tcp 443 on a different IP ?

I thought it would be nice and elegant to use a DNS record that would look like :
_http._tcp.smtp.mydomain.com IN SRV 0 10 80 <another IP address>
… same for tcp 443.

Would this work ? Is there another way ?

I’m doing this because I’m already creating and renewing all my certificates for a bunch of domains (which are accessed through HTTP / HTTPS) on a centralized point, and I would like to do the same for non HTTP(S) services.


#2

You could utilise the DNS-01 challenge ( which doesn’t require ports 80/ 443), which requires a token being placed in your DNS records to validate control - if that would work for you ?


#3

Well, as I have full control over my DNS zones, I think that would, yes !
As long as it can be fully automated, it’ll suit my needs, thanks !


#4

Yes it can be fully automated ( as long as there is an API, or other way you can automate the adding of a token to your DNS). It’s the route I use for a lot of my domains ( and smtp, imap etc )

Using certbot, there is some information - https://certbot.eff.org/docs/using.html#getting-certificates-and-choosing-plugins

I personally use one of the alternate clients, as they supported the dns-01 challenge before the official certbot did. I’m sure someone can give you more detail about using the dns-01 challenge with certbot though.


#5

That’s perfect ! Found my way in with certbot in manual mode for now.
Will check when I need to renew my certificates.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.