Want working certbot on virtual mailserver machine

I have a front-end Reverse-Proxy machine that has Apache installed and it has 3 back-end virtual machines. One virtual machine will be used for mail and the other two are two separate web servers. All machines are running Ubuntu. My goal is to keep the web and mail servers separate and be able to send mails from and to the back-end mail server from anywhere.

On the front-end machine I simply ran Certbot twice to generate a certificate for each web server without much problems. Now comes my problem or what I fail to understand: I seem to be unable to do the same for the back-end mail server because I will also need the certificate on the back-end mail server to be used by Postfix and Dovecot.

Could anyone please explain to me where I am going wrong or if there might be a better solution?

Hi @NorthernSun, and welcome to the LE community forum :slight_smile:

It seems like you are on the verge of asking for a custom engineered design tailored to suit your need.
Sure, it doesn't hurt to ask, but this is a forum that is not really intended for such.
That said, anyone here is free to give their advice on this topic.
And my free advice is: If you can, pay a qualified professional to do this work for your business.
[if you are NOT doing this for a business, then I apologize for making that assumption]


I'm not quite following your question: Why can't you use the same thing you're doing to distribute the certificate files to your two web servers in order to distribute certificate files to your mail server?


Likely because the "front-end Reverse-Proxy machine" doesn't proxy email ports.
So... the email server is trying to get its' own cert and is failing to do so.

OR did I just get that from the topic title?

Seems like the "back-end" mail server has no "front-end".


Well, I thought that the post was saying that certbot was running on the front-end?

But regardless, yes people will need more details of the architecture and what's running where to be able to help. It's not even clear to me if the problem is with getting the certificate or with how to configure their mail server software to use it.


I think certbot is running in two places.

Agreed, too much is being left to the imagination.


I'm assuming the issue here is, is that your mailserver has a different hostname than your webservers, right?

Even though Postfix and Dovecot don't run on port 80, you can get a certificate for those services using the http-01 challenge. If you previously were able to get a certificate for your webservers on the front-end machine, you should also be able to do the same for your mailserver. You might however need to (temporarily) add a virtualhost for your mailservers hostname on the front end machine to validate the mailservers hostname. And afterwards you'd need to transfer the certificate and private key securely to your mailserver to be used with Postfix and Dovecot. And all this preferably automated :wink:

Oh I forgot: if your front end server already is functioning as a reverse proxy, you could also reverse proxy every request for your mailservers hostname on port 80 for the path /.well-known/acme-challenge/ (or just any path) to your mailserver and use the --standalone plugin. That way the certificate is directly on your mailserver and your mailserver doesn't need to run its own webserver: the standalone plugin will spin up a temporary Python-based listener on port 80 for just the challenge.


Thanks for all the replies. I'm sorry I should have been more clear.

I have only 1 physical server machine and 1 public IP address available. Because in the future I might have to change to another server machine in case of a hardware failure I wanted to put my web and mail servers on virtual machines. I could have made one big virtual machine with all the servers merged but I like to keep them separate for security reasons. I have port forwarded port 80 and 443 to the main machine which holds all 3 virtual machines. One of the web servers is mostly for private use and therefor it is not really necessary to mention too much about here I think. The second web server its host name is mydomain.com while the mail server has the hostname of mail.mydomain.com. On the main machine that holds all virtual machines I ran Certbot to create certificates for the two web servers. The main machine acts as a reverse proxy by forwarding incoming requests on port 80 and 443 for mydomain.com to the web server. On the mail server I ran Certbot using the DNS challenge. In entered the received certificate in Postfix and Dovecot.

Now when I try to receive my mail by using a mail client such as Thunderbird it tells me that "The certificate belongs to a different site." When I view the certificate that Thunderbird is giving me it displays the certificate of the private web server instead of mail.mydomain.com. I assume this is because Thunderbird is asking the main machine for the certificate for mail.mydomain.com but the main machine does not have it. In an attempt to fix this I tried setting up a virtual host on the main machine that redirect requests on port 80 and 443 for mail.mydomain.com to the mail server, but without success.

1 Like

We can give you options.

I would reverse proxy the webmail (ie: http/s services of the mailserver) but I would expose postfix and dovecot directly. This means that either:

  • you give postfix and dovecot a certificate from the main proxy, or
  • you use a different fqdn for postfix/dovecot and the webmail, for which you use a different acme client, or
  • you proxy imap and smtp as well (using haproxy or nginx -- I don't think apache can do that.)

If I would obtain the certificate on the front end machine and transfer the certificate and private key to the mail server manually is there a recommended folder to place them in? should it be simply also in /etc/letsencrypt/live/<domain_name>?

It should explicitly not be in there.

Just make sure the permissions are appropriate.


Well, you should be able to use the hook scripts in certbot to automatically copy them where they need go (using scp or whatever).

This is something that doesn't seem as standardized as I would expect. Some use something like /etc/certs I think; some keep it in /root or some other "user" directory for a system account, some just made their own directory somewhere out of the way. As long as the permissions are good (so that only the service that's supposed to be using it has access to the private key, it shouldn't really matter.


The tricky part with multiple machines is usually http domain validation, and you may find that using DNS validation makes it easier to get a cert on any machine. You can also use this approach to use one machine to get all your certs then distribute them to your other machines (sftp etc).

A certificate is just a file (or rather, a public certificate file and private key file) and it can be copied anywhere, the challenge then is configuring each service that needs to use that file (usually this is just copying the file to the right place then restarting the required service).


The correct solution for your situation is to only obtain ONE certificate, and deploy it to all 3 servers. You should NOT be having multiple machines request the same certificate as the rate-limit for duplicate certificates is 5 per week, and a simple error on your part can easily make you unable to obtain a new certificate.

There are a lot of ways to implement this. I think some of the easiest options in your situation include:

obtaining the certificates for a cluster

  • use DNS-01 challenge with acme-dns, or
  • use HTTP-01 challenge by either:
    • run Certbot on the gateway node, or
    • proxy all traffic to /.well-known/acme-challenge to a specific node running Certbot, or
    • 301 redirect all traffic to /.well-known/acme-challenge to a subdomain that only runs on one node, which is running Certbot

deploying the certificates in a cluster

  • mount /etc/letsencrypt from the node running Certbot as a shared directory (nfs, etc) onto the other nodes, or
  • rsync /etc/letsencrypt from the node running Certbot onto the other nodes and restart services daily, or
  • use post-deploy hooks on the Certbot node to rsync and restart the other nodes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.