Best practices is having a valid cert on the mail server(s), to only accept encrypted traffic (e.g. not listen on port 80) and to redirect non-encrypted port 80 traffic to SSL/TLS port 443.
However if you use LetsEncrypt, you need to pass the inbound LetsEncrypt request without a redirection. There are numerous ways to do this, but if you want to not have to create a custom firewall rule for LetsEncrypt traffic and not have to worry about non-standard TCP ports read on...
Steps for this:
1. Configure HaProxy to recognize and forward the ".well-known/acme-challenge/" and redirect other port 80 traffic to 443
#CaCert Test URI to see if its a letsencrypt request for certbot acl letsencrypt-acl path_beg -i /.well-known/acme-challenge/ # Redirect to 443 if client request is on port 80 acl host_MAILHOST hdr(host) -i MAILHOST_FQDN redirect scheme https code 301 if host_MAILHOST !letsencrypt-acl #Otherwise pass on the traffic to the mail server certbot request matching TCPPORT (80 below) use_backend MAILHOST_CERTBOT if letsencrypt-acl host_MAILHOST # Don't interfere with Certbot requests on this HaProxy server use_backend letsencrypt-backend if letsencrypt-acl !host_MAILHOST ... #Pass on CaCert test without check to see if server is alive. It usually isn't backend MAILHOST_CERTBOT server MAILHOST80 INTERNAL.ADDRESS:80
2. Renew but use port 80 for the inbound request (as root on the mail server). Note: you don't have to use port 80, but if not then you have to setup firewall, HaProxy, etc accordingly.
letsencrypt renew --standalone --agree-tos --email XXX@YYY --preferred-challenges=http --http-01-port=80
- Log in to post comments