Letsencrypt issue/renew using Cloudflare

HI to all
I’ve just setup a fresh ubuntu 18.04 LTS with MIAB, no issues so far, all went ok, but I wish to issue the Let’sencrypt certs using the Cloudflare API, since this server is not and won’t be webserver for the domains on it.
This way I can issue/renew certs without redirecting the webroot.

Can it be done on MIAB, using the admin panel I meant?

I found this on G … https://mangolassi.it/topic/18355/setup-letsencrypt-certbot-with-cloudflare-dns-authentication-ubuntu

Thanks in advance.


You do not have to do this whatsoever.

Once MiaB is set up you should NEVER have to do anything to obtain a certificate in the future. I am not certain why you would want to change this behaviour. Have you had an issue with the original certificate issuance? If not, then there is nothing to do.

If you are using one mail server for multiple domains, my recommendation is to have a domain dedicated to being used only for mail. Then, for your other domains, you just use the mail server domain in the MX record.

This way, example.com has MX record mail.example.net.

This is particularly useful for MiaB, because this project likes to be its own DNS server. If you use an external DNS server for the MiaB domain (mail.example.net), you are going to be working harder and posting here more often.

1 Like

Hi, just provisioned the host mail cert… it’s using webroot …

From the log:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Performing the following challenges: http-01 challenge for mx01.host.com Using the webroot path /home/user-data/ssl/lets_encrypt/webroot for all unmatched domains.

The question is MIAB crates entries for:

But I only want the mx01.host.com or *.host.com certs issued. For the mx01 was easy using the GUI provisioning option, for the wildcard one, if I want, it cannot, AFAIK.

If its not possible to be implemented using the CP GUI, no worries, since I have it working now under the CLI, the plugin for Cloudflare DNS I meant.
If there is some Doc about doing this manually, please be so kind to share it, otherwise I ll just keep looking around, since this is a NGINX implementation, hopefully not as closed as Zimbra is.

Regarding the use of the MIAB DNS server, well I trust more on Cloudflare nowadays than any other DNS system, and I have used/implemented a lot.
Simple we have to transcribe the records that MIAB creates to the Cloudflare zones, and yes, is sometimes exhaustive but for me, well let’s say DNS doesn’t change as much.

Thank you all for your kind replies.

The MiaB DNS server can be used for only a domain that is serving mail, and since the server, itself, in most cases is the only server serving mail, it does not matter if the DNS server for the mail server goes away, because the mail server has also gone away.

Somehow, your response is communicating to me you aren’t understanding all of these things, particularly the benefit of having a domain exclusively for mail (assuming you can afford the additional $12/year expense).

First of all thank you.

Second, I do understand what you saying perfectly but:

  • If the mail server goes away, I also loose the DNS, and all the records on it, ( unless using some other secondaries ), if it parked on it. This has happened a lot to me in the past, thou I don’t use service servers to host the DNS’s for the domains I manage.
    Hence, I do understand the idea behind MIAB, a simple integrated implementation for a mail server, but for some of us, few I guess, this is not enough. MIAB is a great mail server, and so far the smallest footprint implementation I found so far for a system like this.

I like the MIAB, I even have used it for my own email server in the past, not using it now because I’m testing another ones, and that integrated implementation worked perfectly, until I wanted a bit more.

But now I’ve been asked to provide a mail server for a startup company, thas has some other mail domains, and since I want an integrated email server, with EAS, I decided to go again to MIAB, as I said small footprint, low costs for the server on the hosting providers, as we don’t need too much to run it, like the other I’ve tested.

The problem with the Cloudflare integration is we cannot issue/renew the domain certs, if the records are being ‘protected’ by the Cloudflare proxy. So using the API go around this issue.

Thanks again for your replies.

I mean to only use MiaB DNS server for only the domain that is only used for only being a mail server and is not used anywhere else for any other purpose on any server anywhere.

If the domain for the mail server is example.net, then that domain is only used for the mail server, and does not exist any other place.

If you are concerned about the vaporization of the server from all existence, then you are going to suffer this issue in regards to backup of mail on the server that most users use exclusively through IMAP, so if you have no backup plan for your mail server, and you are concerned about this, then, from that perspective, you are assured to lose everything, anyway, and users will likely be more angry at you for losing all of their mail than the DNS being unavailable for some short period.

As for domains that are served from a web server some place else, which also makes use of some external DNS, such as Cloudflare, there is no reason to have MiaB DNS server do anything, at all, which such domains, and, just the same, MiaB will not have anything to do with the TLS certificates for such a domain.

From my perspective, you have spent more time trying to hash out an unnecessarily complex configuration than just going to your favorite registrar, shelling out $12 for a domain, use the MiaB autoconfig, make some simple MX record changes on the other domains, then going on with your life.

@openletter you are correct!

Too much for too little … I’m now testing a simple config for all domains.
This is why we ask, thank you.

BTW, not used to do things this way, but after 35 years on IT… I like to learn some ideas, and not stick to the old ones.

Roughly 5% of human communications is the actual text. I have observed this to be true through 20+ years of online communications

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.