justin/new-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

infra: MTA-STS status note - cert pending stable HE.net DNS propagation

Browse source
This commit is contained in:
justin 2026-06-06 19:37:37 -05:00
parent 7bd2f70de4
commit 34daa0c1d3
1 changed files with 10 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
infra/mta-sts/README.md
View file

@ -13,3 +13,13 @@ resolves, run:
sudo certbot certonly --webroot -w /var/www/certbot -d mta-sts.performancewest.net --non-interactive --agree-tos -m admin@performancewest.net
then upgrade pw-mta-sts.conf to an HTTPS (443) server block (see pw-listmonk-hc.conf
pattern) and reload nginx. MTA-STS requires the policy be served over valid HTTPS.
## STATUS 2026-06-07
- DNS A record added + policy file served over HTTP (working).
- Cert issuance FAILED twice: HE.net secondary DNS is flapping (mta-sts resolves
on 1.1.1.1/9.9.9.9 but intermittently empty on 8.8.8.8), so Let's Encrypt's
multi-vantage validation can't get consistent resolution. nginx left on the
safe HTTP-only vhost. RETRY the certbot command above once `dig +short
mta-sts.performancewest.net` is stable across 8.8.8.8 / 1.1.1.1 / 9.9.9.9,
then upgrade to the 443 vhost. (nginx -t before any reload — a missing cert
ref will break the reload.)