Using letsencrypt & certbot how do I add a mail server to an existing certificate?

Host: Digital Ocean

OS: CentOS

I have an existing SSL certificate that covers my domain.

$ certbot certificates produces this output.

Found the following certs:
   Certificate Name: example.com
     Domains: example.com www.example.com
     Expiry Date: 2020-04-12 21:20:31+00:00 (VALID: 86 days)
     Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
     Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

I installed postfix and I believe I need to add mail.example.com to my certificate.

I tried to add mail.example.com to my certificate using this command,

$ sudo certbot certonly --standalone -d mail.example.com

Unfortunately it threw this error,

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.example.com
Waiting for verification…
Challenge failed for domain mail.example.com
http-01 challenge for mail.example.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: mail.example.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for mail.example.com

It appears that certbot is trying to install mail.example.com using an A record. On Digital Ocean in my Domain Records section mail.example.com was created as an MX record, not an A record.


Solution 1:

You are right, that for mail delivery you need an MX- entry. BUT: mail.testsite.com is a fully qualified hostname. And you need to tell everybody who wants to deliver mail to you what the ip address of this hostname is. So you need an A record as well, pointing to the server where you want to receive the mail.

Create the a record and point to your mail server and run certbot from that machine. Make sure, that a webserver is responding on port 80 for mail.testsite.com for the verification to be successfull. Then it will work.

Solution 2:

Do it like this:

$sudo certbot -d mail.example.com --manual --preferred-challenges dns certonly

A DNS TXT record will be printed(Just don't click enter yet), publish it to your DNS and wait till you're sure that the TXT record can be read from outside of your DNS then click enter and it will be verified.