Exclude one specific subdomain from ACME

mr-manuel

Hello,

is there somehow a possibility to exclude a specific subdomain from the certificate request/generation?

I have multiple domains on my Mailcow server. For security reasons I geo blocked the HTTP and HTTPS access and allow only a few countries where my users and Let’s Encrypt servers are. My problem now arises, because the mta-sts.domain.tld record is pointing to the IP of my reverse proxy, which is not geoblocked and requests the certificate on his own. Mailcow sees that this domain has an AAAA record and tries to request a certificate for it, which does not work and blocks therefore also all other requests.

The idea therefore was to exclude this specific mta-sts.domain.tld for the ACME client. Is this somehow possible? How would you solve the problem?

esackbauer

I create all my certificates including those for mailcow at the reverse proxy (I use Sophos Firewall), and then copy them to mailcow:
https://docs.mailcow.email/post_installation/firststeps-ssl/#how-to-use-your-own-certificate
That means you disable ACME on mailcow completely.