1

I have two (virtual) hosts running behind a firewall. One is a webserver, the other a mailserver. The appropriate ports of my single public IPv4 address are forwarded at the firewall to the hosts.

Now I want to automatically obtain letsencrypt certificates for both hosts (for the domains www.my.foo and mail.my.foo). The problem is, that the mailserver is not reachable via port 80 or 443 (since those are forwarded to the webserver) and I am not able to automatically update my DNS settings via some API.

Is there some trick in the ACME protocol to obtain a certificate on the mailserver without manual intervention?

mat
  • 548
  • 6
  • 20

1 Answers1

3

If the two servers are on the same LAN and sees each other, you could

  1. Install a web server on the mail server (or use certbot certonly --standalone.
  2. Configure a reverse proxy on the web server facing the Internet.

Using a separate virtual host for the reverse proxy might make it easier for you to use the /.well-known/acme-challenge/ namespace twice, if you don't mind that the mail server has different hostname.

If you want to use the same certificate for both purposes, you could simply rsync it between the servers e.g. with a cronjob.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129