From: Discuss [mailto:discuss-bounces+blu=nedharvey....@blu.org] On
Behalf Of David Kramer
I also complicated
things by trying to use an SSL certificate from https://letsencrypt.org
instead of self-signed,
I'm a huge fan of free certs from https://startssl.com, and personally I don't
think letsencrypt deserves the hype. But I have nothing against letsencrypt. No
matter how you do it, making the internet a better place is a good thing.
Current status:
I backed up /etc and nuked Postfix and Dovecot and starting over.
You should be using ansible or something to make these changes. That way you
can easily rebuild and test systems, and the next time you have to migrate to a
new server (because centos 10 came out and centos 7 will stop receiving
updates, or something like that)... You'll know exactly how the old one was
configured. The migration process is *way* easier.
I also coudn't log in from my Android phone (certs prolly)
Let's encrypt has a root (they named it ISRG Root), and an intermediate (they
named it Let's Encrypt Authority, which I'll abbreviate LEA). Normally the
intermediate gets signed by the root, and so it is, but since their root isn't
trusted by clients yet, they partnered with IdenTrust, so IdenTrust *also*
signs the LEA intermediate. When you install your cert into your server, you
have to make sure you install the right chain. That is - You have to install
the LEA intermediate that's signed by IdenTrust, and not the one that's signed
by ISRG Root.
- letsencrypt sounded like a good option at the time, but it is still
kinda in beta, and I couldn't connect my phone to the mail server, even
saying "ssl accept any certificate". Is that a good option?
Eek. No, that is NOT a good option. You should literally never do that, if your
traffic goes over the internet. Although not trivial, it is *nearly* trivial
for an attacker to hack a router, configure it to automatically detect
self-signed certs flying by, and automatically perform a MITM attack.
I'm willing
to pay a reasonable price for a cert if I can use it for web and mail
and there are advantages over free ones.
There are only two free options. Let's encrypt, and startssl. The complaint
people sometimes have about startssl is that revokation is $25. The cheapest
non-free cert is RapidSSL from namecheap for $11. So to determine which is the
best option for you, you need to calculate the probability of needing a
revokation (let's say 1%) and compare 1% of $25 versus $11 to get a new one
that includes free revokation.
Sorry, I neglected to mention - The *actual* cheapest non-free cert is
PositiveSSL, for $9, but it's signed by two intermediates, which is so unusual
that a lot of clients don't test that configuration well, so a lot of clients
aren't compatible with PositiveSSL. Ask me how I found out. ;-) Fortunately,
they issued me a refund that I applied toward RapidSSL.