# mail server + letsencrypt + jails



## s2r (Jan 13, 2020)

I'm using a VPS on Linode runing 12.1. In the server I've got postfix+dovecot for virtualsdomains and to serve one or many of those virtualdomains.
All http traffic is redirected to a jail just to act as a reverse proxy. from that jail depending on the destination domain the request is sent to the appropiate server (I'm using gunicorn for a small django app) I received a reminder from LetsEncrypt that my certificates will be expiring soon, I moved each domain from the main vps to jails in other to make it more secure however I didn't think on the process for renewing certificates.

If I run certbot form the main server (fbsd vps instance) I won't be receiving any incoming http connections since all the traffic is redirected to the reverse proxy jail. If I run certbot from the reverseproxy jail, how would I move/store the certificates main instance so the smtp+dovecot won't fail?

I could stop redirecting http traffic to the reverse proxy, then run certbot and then enabling the pf rule again....? What's the best way to enable/disable rdr rules in pf? Should I create a table and the insert/remove entries so I don't need to reload all rules?


----------



## usdmatt (Jan 13, 2020)

Is it possible to run certbot on the main server but give it the path to the webroot inside the jail? The file systems for the jails are basically just folders on the host right?

obviously you’d have to manually reload the web server to pick it up although it could easily be scripted


----------



## s2r (Jan 13, 2020)

I think you are right, but I've got gunicorn serving the webpages inside the jail, so if I change the webroot directory for certbot and the response token is stored inside domain.com/.well-known/xxxxxx gunicorn wouldn't know how to handle it since it's serving a django app.


----------



## SirDice (Jan 14, 2020)

Filter out the requests to /.well-known/* on the reverse proxy and redirect them to a local webserver. Letsencrypt certificates are refreshed on the host too, then copied to all jails where I need them.


----------



## s2r (Jan 14, 2020)

Thank you Sir, I about to start modifying nginx.conf to add somethig like below when I read your message.


```
location ^~ /.well-known/acme-challenge/ {
                        default_type "text/plain";
                        root /usr/local/www/letsencrypt;
        }
```

I tried and it worked!!


----------

