I have a question about certificates for the dovecot mailserver .
I have multiple nodes, among which node 1 (ns-leader.domain.tld) and node 3 (ns-mail.domain.ltd)
The router has port 80 and port 443 forwarded to node 1, and my public DNS has a wildcard pointing to the external ip of the router. Node 3 is not exposed to the internet, in a later stadium I would forward imap/smtp ports.
I can request a letsencrypt certificate for ns-leader.domain.tld.
But my mail server app, mail.domain.tld on node ns-mail.domain.tld, does not get a certificate.
From the forums I understood that I should NOT request a certificate for mail.domain.tld myself, but let the app request it. I reconfigured that app multiple times, and even created http routes from ns-leader to ns-mail for mail.domain.tld, but with or without no certificate is being deployed.
(checked with openssl s_client -connect ns-mail.domain.tld:465 -brief. I get the self-signed CN=host-22327.ns8.test)
One time I received a valid certificate, this was when I moved the mail app from node 3 to the exposed node 1. But this is not the prefered location for the app.
Are certificates request by a node also available for other nodes? How would the mail node know which node is exposed to the internet?
every node that you want to obtain a letsencrypt certificate needs port 80 or 443 opened.
In your case you could use for example http-01 challenge (port 80) on the leader node and tls-alpn-01 challenge (port 443) on node 3 so you could port forward port 80 to the leader node 1 and port 443 to node 3, this way both nodes should be able to obtain letsencrypt certs.
Please check following post for information about how to change the challenge type on your nodes. Check which traefik instance is used on the nodes to set it on the right traefik instance, for example traefik1 on node 1 and traefik3 on node3.
I was homehow expecting that the nodes would work together to request and distribute certificates among them. I now understand that the traefik instance requesting certificates has to be the one that actually is the one with open port on the internet.
Your solution worked right away, I changed the port forward of port 80 to the mail server and changed the traefik3 instance to use http-01.
(I’m also reverse-proxying other https sites though node 1, so I preferred to keep port 443 there)