Host: Digital Ocean
OS: CentOS
I have an existing SSL certificate that covers my domain.
$ certbot certificates produces this output.
Found the following certs:
Certificate Name: example.com
Domains: example.com www.example.com
Expiry Date: 2020-04-12 21:20:31+00:00 (VALID: 86 days)
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
I installed postfix and I believe I need to add mail.example.com to my certificate.
I tried to add mail.example.com to my certificate using this command,
$ sudo certbot certonly --standalone -d mail.example.com
Unfortunately it threw this error,
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.example.com
Waiting for verification…
Challenge failed for domain mail.example.com
http-01 challenge for mail.example.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: mail.example.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for mail.example.com
It appears that certbot is trying to install mail.example.com using an A record. On Digital Ocean in my Domain Records section mail.example.com was created as an MX record, not an A record.
Do it like this:
$sudo certbot -d mail.example.com --manual --preferred-challenges dns certonly
A DNS TXT record will be printed(Just don't click enter yet), publish it to your DNS and wait till you're sure that the TXT record can be read from outside of your DNS then click enter and it will be verified.
You are right, that for mail delivery you need an MX- entry. BUT: mail.testsite.com is a fully qualified hostname. And you need to tell everybody who wants to deliver mail to you what the ip address of this hostname is. So you need an A record as well, pointing to the server where you want to receive the mail.
Create the a record and point to your mail server and run certbot from that machine. Make sure, that a webserver is responding on port 80 for mail.testsite.com for the verification to be successfull. Then it will work.
If Ionos is your DNS provider and you follow the common convention of calling your mail server mail.example.com, it's not sufficient to create an A record "mail" and an MX record "mail". Your TXT record doesn't satisfy certbot.
You must create a subdomain called "mail" using the Ionos UI. Then you can navigate to that subdomain in the UI, create your TXT record and call it "_acme-challenge". That produces a working "_acme-challenge.mail.example.com" TXT record.
It looks to me as if the value in the challenge changes each time you run certbot. So you can leave the TXT record in place but you will have to edit it each time.