> On Apr 6, 2025, at 11:14, John Levine via mailop <mailop@mailop.org> wrote: > > It appears that Hal Murray via mailop <halmurray+mai...@sonic.net> said: >> -=-=-=-=-=- >> >> >> Lyle Giese said: >>> Let's Encrypt requires (according to documentation I have seen) Port 80 >>> TCP be in use for verification.� I have no other legit use for Port 80 >>> on this smart host and decided a long time ago, not to use Let's Encrypt >>> for that reason. >> >> It's trying to verify that you control the systems that the DNS points to. > > As others have noted, you can put a validation record in your DNS, no port 80 > needed. That's what I do. > > It was a modest pain to set up but it works great. My mail server has 100 > names > and 100 certs (one for each domain it hosts) and the renewals all work > automatically.
I’m going to note that for me, the game changer, rather than making all my zones dynamic, was adding a CNAME for the challenge to some other domain that was only used for challenges (and that only has one NS record, so there’s no propagation delays). For example: _acme-challenge.mailserver.company.com. IN CNAME mailserver.company.com.acme.company.com. (These need not even be under the same root domain). This way, you are only worried about updating acme.company.com, than hundreds of zones. (We made our nsupdate script throw wild errors if it discovered that cname not present). Even if you didn’t want to play with DDNS, you can build a zone on the fly when issuing certs, and rndc reload it (since there’s nothing else of consequence in acme.company.com but an NS and SOA record). -Dan _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
