On 22/04/22 11:57, Joseph Tam wrote:> Keep in mind the subject name (CN or SAN AltNames) of your certificate > must match your IMAP server name e.g. if your certificate is > made for "www.mydomain.com", you'll have to configure your IMAP > clients to also use "www.mydomain.com" as the IMAP server name. > > This typically means the web and IMAP server must reside on the > same server, otherwise you'll have to use DNS challenge method > to support multiple hostnames on the same certificate._A_ web server has to be there. It doesn't have to serve anything else useful. My mail server has a web server that only serves the LE challenge. Well, actually it's a proxy server that serves several other domains too, but there's nothing else served on that domain (at the moment). Cheers, Richard
Richard Hector wrote:> otherwise you'll have to use DNS challenge method > to support multiple hostnames on the same certificate.do you know how to implement this? the original certificates were issued for domain: sample.com. But this certs can be used for any.sample.com too? Thanks
On 4/23/2022 6:45 PM, Richard Hector wrote:> _A_ web server has to be there. It doesn't have to serve anything else > useful. My mail server has a web server that only serves the LE > challenge. Well, actually it's a proxy server that serves several > other domains too, but there's nothing else served on that domain (at > the moment).I didn't want to mess with creating a web infrastructure for the usual web-based validation that is common with LE.? Getting that working for my services would be very messy.? So I use DNS validation with LetsEncrypt, and I have wildcards in my cert.? You can see the cert at this location: https://http3test.elyograg.org/ Reload the page to see if your browser can do http/3 -- the initial connection will usually be http/2. Certbot has plugins for many common DNS providers that let it automatically add the validation records to your DNS.? I use a DNS provider which is not covered by the official plugins, but I found a third party hook script on github, so I have built scripts that accomplish completely automated certificate renewals with DNS validation.? I run the renew script with cron every other day, and have it waiting until 5 days before expiration before it actually does the renewal.? So I get a new cert about every 85 days, and it even installs the cert and restarts services on everything that needs it. Thanks, Shawn
On 24.04.22 02:45, Richard Hector wrote:> On 22/04/22 11:57, Joseph Tam wrote: >> Keep in mind the subject name (CN or SAN AltNames) of your certificate >> must match your IMAP server name e.g. if your certificate is >> made for "www.mydomain.com", you'll have to configure your IMAP >> clients to also use "www.mydomain.com" as the IMAP server name. >> >> This typically means the web and IMAP server must reside on the >> same server, otherwise you'll have to use DNS challenge method >> to support multiple hostnames on the same certificate. > > _A_ web server has to be there. It doesn't have to serve anything else > useful. My mail server has a web server that only serves the LE challenge. > Well, actually it's a proxy server that serves several other domains too, > but there's nothing else served on that domain (at the moment).if it wasn't already mentioned in this thread: acme.sh (https://github.com/acmesh-official/acme.sh) has a builtin standalone webserver which can be used in such cases, there's no need for an additional web server. And Certbot has this functionality too. acme.sh is a very simple and stable solution - it's just a shell script, no dependencies. I'm using it on a number of servers (together with Apache/Nginx or with the builtin standalone mode on mail gateways) without any problem. Regards, Markus