Let's Encrypt on the host system instead of acme-container

hrewd

I am using Apache, Lets Encrypt and have a bunch of Virtualhosts on my Server. Now i want to configure https for the Mailcow Backend on “mail.mydomain.com”, which is already an A-Record in my DNS. I am somewhat confused, how things work together, especially with this acme-container.
According to https://docs.mailcow.email/de/post_installation/firststeps-ssl/#ein-eigenes-zertifikat-verwenden it ist possible to disable/stop the mailcow acme-container and use certbot/ Let’s Encrypt on my Linux Hostsystem?
Which client affects the value SKIP_LETS_ENCRYPT in mailcow.conf - the host-le or the container-le?

esackbauer

hrewd the host-le or the container-le?

A container config cannot set things on the host. So its of course container-le.

hrewd it ist possible to disable/stop the mailcow acme-container and use certbot/ Let’s Encrypt on my Linux Hostsystem?

Yes that is actually best practice in your setup.
But if you create renew LE certs you must copy the certificates from your Host-LE to mailcow
https://docs.mailcow.email/post_installation/firststeps-ssl/#how-to-use-your-own-certificate
Also remember to include all hostnames into the cert, just mail.mydomain.dom is not enough. You need to include autodiscover, autoconfig etc as SAN.

hrewd

esackbauer
“But if you create renew LE certs you must copy the certificates from your Host-LE to mailcow”

Ok, obviously there is still something i don’t understand. I wanted to have HTTPS-termination and validation for the Subdomain mail.mydomain.de to be fully on my host system. The LE-cert-path is defined in my Apache Vhost-File for the subdomain, where i also setup this reverse proxy. So why does mailcow still needs a copy?

esackbauer

hrewd So why does mailcow still needs a copy?

Because mailcow needs that certificate also for POP, IMAP and SMTP…
There are more communications channels than only https for a mailserver 😉

hrewd

Ok, i was’nt aware that LE-Certificates used for HTTPS can also be used for E-Mail-TLS. I already wondered, how Mailcow obtains certs for IMAP/TLS etc.

Also remember to include all hostnames into the cert, just mail.mydomain.dom is not enough. You need to include autodiscover, autoconfig etc as SAN.

This means, i also have to set up additional subdomains and related virtualhosts such as autodiscover.mydomain.de and autoconfig.mydomain.de and generate certificates for them as well? Actually i only need SOGO as HTTPS.

esackbauer

Yes, your LE cert should have the CN of mail.domain.com (the name mailcow uses as configured hostname) and as SAN additionally autoconfig.domain.com and autodiscover.domain.com and any other domains you want the UI to listen to.