Re: how to setup IMAPs with letsencrypt

[Joseph Tam]

On Sun, 24 Apr 2022, ??? (alice) wrote:


[Actually, I wrote]

otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.


do you know how to implement this?


Others have pointed out resources, but at a very basic level, you'll need
a scriptable way to add TXT records for your domain. Plenty of ACMEbots
supply plugins for various cloud provider APIs, but if you're running
your own DNS server like I am, you may have roll your own plugin.

If you don't have this level of control over your DNS zone, you'll have
to bodge it with HTTP challenge and a stub web servers.


the original certificates were issued for domain: sample.com.
But this certs can be used for any.sample.com too?


For wildcarded certs (valid for *.sample.com), your only recourse is
use DNS challenges.

Joseph Tam 

Re: how to setup IMAPs with letsencrypt

[Richard Hector]

On 24/04/22 13:14, ミユナ (alice) wrote:



Richard Hector wrote:

otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.


Um, no I didn't. I replied to that. Please check your attributions :-)

Cheers,
Richard

Re: how to setup IMAPs with letsencrypt

[Markus Winkler]

On 24.04.22 02:45, Richard Hector wrote:

On 22/04/22 11:57, Joseph Tam wrote:

Keep in mind the subject name (CN or SAN AltNames) of your certificate
must match your IMAP server name e.g. if your certificate is
made for "www.mydomain.com", you'll have to configure your IMAP
clients to also use "www.mydomain.com" as the IMAP server name.

This typically means the web and IMAP server must reside on the
same server, otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.


_A_ web server has to be there. It doesn't have to serve anything else 
useful. My mail server has a web server that only serves the LE challenge. 
Well, actually it's a proxy server that serves several other domains too, 
but there's nothing else served on that domain (at the moment).


if it wasn't already mentioned in this thread:

acme.sh (https://github.com/acmesh-official/acme.sh) has a builtin 
standalone webserver which can be used in such cases, there's no need for 
an additional web server. And Certbot has this functionality too.


acme.sh is a very simple and stable solution - it's just a shell script, no 
dependencies. I'm using it on a number of servers (together with 
Apache/Nginx or with the builtin standalone mode on mail gateways) without 
any problem.


Regards,
Markus

Re: how to setup IMAPs with letsencrypt

[Shawn Heisey]

On 4/23/2022 6:45 PM, Richard Hector wrote:
_A_ web server has to be there. It doesn't have to serve anything else 
useful. My mail server has a web server that only serves the LE 
challenge. Well, actually it's a proxy server that serves several 
other domains too, but there's nothing else served on that domain (at 
the moment).


I didn't want to mess with creating a web infrastructure for the usual 
web-based validation that is common with LE.  Getting that working for 
my services would be very messy.  So I use DNS validation with 
LetsEncrypt, and I have wildcards in my cert.  You can see the cert at 
this location:


https://http3test.elyograg.org/

Reload the page to see if your browser can do http/3 -- the initial 
connection will usually be http/2.


Certbot has plugins for many common DNS providers that let it 
automatically add the validation records to your DNS.  I use a DNS 
provider which is not covered by the official plugins, but I found a 
third party hook script on github, so I have built scripts that 
accomplish completely automated certificate renewals with DNS 
validation.  I run the renew script with cron every other day, and have 
it waiting until 5 days before expiration before it actually does the 
renewal.  So I get a new cert about every 85 days, and it even installs 
the cert and restarts services on everything that needs it.


Thanks,
Shawn

Re: how to setup IMAPs with letsencrypt

[alice]

thank you Jeremy. I will check out them.

Jeremy Ardley wrote:
https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt-wildcard-certificates-with-certbot 



This may be more helpful 
https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7 

Re: how to setup IMAPs with letsencrypt

[Jeremy Ardley]

On 24/4/22 9:22 am, Jeremy Ardley wrote:


For a start:

https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt-wildcard-certificates-with-certbot 



This may be more helpful 
https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7


--
Jeremy



OpenPGP_signature
Description: OpenPGP digital signature

Re: how to setup IMAPs with letsencrypt

[Jeremy Ardley]

On 24/4/22 9:14 am, ミユナ (alice) wrote:



Richard Hector wrote:

otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.


do you know how to implement this?

the original certificates were issued for domain: sample.com.
But this certs can be used for any.sample.com too?


There is a procedure for wildcards but it's a little complex. It helps 
to have your own bind server.


For a start:

https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt-wildcard-certificates-with-certbot

--
Jeremy



OpenPGP_signature
Description: OpenPGP digital signature

Re: how to setup IMAPs with letsencrypt

[alice]

Richard Hector wrote:

otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.


do you know how to implement this?

the original certificates were issued for domain: sample.com.
But this certs can be used for any.sample.com too?

Thanks

Re: how to setup IMAPs with letsencrypt

[Richard Hector]

On 22/04/22 11:57, Joseph Tam wrote:

Keep in mind the subject name (CN or SAN AltNames) of your certificate
must match your IMAP server name e.g. if your certificate is
made for "www.mydomain.com", you'll have to configure your IMAP
clients to also use "www.mydomain.com" as the IMAP server name.

This typically means the web and IMAP server must reside on the
same server, otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.


_A_ web server has to be there. It doesn't have to serve anything else 
useful. My mail server has a web server that only serves the LE 
challenge. Well, actually it's a proxy server that serves several other 
domains too, but there's nothing else served on that domain (at the moment).


Cheers,
Richard

Re: how to setup IMAPs with letsencrypt

[Shawn Heisey]

On 4/22/22 02:20, Jean-Daniel Dupas wrote:
While it's true for SMTP, my experience is that IMAP clients prefer 
imaps in 993 instead of STARTTLS.


I have a server with only port 993 opened, and almost never had any 
issue with client configuration.


I have noticed the opposite.  Every time I have configured a new mail 
client (which is most often but not always Thunderbird), it defaults to 
143 with STARTTLS.  Port 993 is available too, but my mail clients have 
never used it unless I explicitly configure it.


My dovecot is configured with "disable_plaintext_auth = yes" so only 
source IPs that are local to the machine (so the traffic never goes out 
on any network) are allowed to login without TLS. My webmail uses 
localhost so it is configured to use port 143 without encryption.


I know a lot of people are going to clamor that such traffic should be 
encrypted because it could be sniffed ... but if somebody has enough 
access such that they could sniff my backend services, the security 
battle is already lost, and they would be able to get any in-flight 
passwords even if the connection is encrypted.


Thanks,
Shawn

Re: how to setup IMAPs with letsencrypt

[Jean-Daniel Dupas]

> Le 22 avr. 2022 à 01:50, Jeremy Ardley  a écrit :
> 
> 
> 
> On 22/4/22 7:44 am, al...@coakmail.com  wrote:
>>> On 22/4/22 7:25 am, al...@coakmail.com  wrote:
>>> 
>> Thanks. I will give a try.
>> after enabling SSL, can I disable port 143 entirely?
>> 
> Probably a bad idea. Many clients use STARTTTLS on port 143 rather than TLS 
> on port 993
> 

While it's true for SMTP, my experience is that IMAP clients prefer imaps in 
993 instead of STARTTLS. 

I have a server with only port 993 opened, and almost never had any issue with 
client configuration.

Re: how to setup IMAPs with letsencrypt

[Narcis Garcia]

__
I'm using this dedicated address because personal addresses aren't 
masked enough at this mail public archive. Public archive administrator 
should fix this against automated addresses collectors.

El 22/4/22 a les 1:40, Jeremy Ardley ha escrit:


On 22/4/22 7:25 am, al...@coakmail.com wrote:

hello

I have setup website using letsencrypt for certification.
how can I setup IMAP to use this certs as well?

Thank you.


Make entries in /etc/dovecot/conf.d/10-ssl.conf

ssl = required

ssl_cert = You can override the global ssl certificates for specific domains in 
/etc/dovecot/dovecot.conf


local special.example.com {
   protocol imap {
     ssl_cert = 

+ You should sure "dovecot" service account has read access to 
/etc/letsencrypt/live/special.example.com/privkey.pem

p.e. by adding account to a common group with LE files.

Re: how to setup IMAPs with letsencrypt

[Jeremy Ardley]

On 22/4/22 8:24 am, Jeremy Ardley wrote:


local mail.example.com {
  protocol imap {

 ssl_cert = 
My error. The correct example domain override stanza is

#specific domain override

local special.example.com {
  protocol imap {

 ssl_cert = 

OpenPGP_signature
Description: OpenPGP digital signature

Re: how to setup IMAPs with letsencrypt

[Jeremy Ardley]

On 22/4/22 7:50 am, Jeremy Ardley wrote:

On 22/4/22 7:44 am, al...@coakmail.com wrote:

On 22/4/22 7:25 am,al...@coakmail.com  wrote:


Thanks. I will give a try.
after enabling SSL, can I disable port 143 entirely?

Probably a bad idea. Many clients use STARTTTLS on port 143 rather 
than TLS on port 993





I forgot to mention that in /etc/dovecot/dovecot.conf you don't need to 
specify imaps.
Dovecot automatically listens on port 993 and 143 when ssl is specified 
and applies the ssl directive as indicated.


#global

# SSL/TLS support: yes, no, required. 

ssl = required
ssl_min_protocol = TLSv1.2
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_prefer_server_ciphers = yes
ssl_cert = It is possible to generate a wildcard letsencrypt certificate 
*.example.com but the process is tricky and has unexpected side-effects 
such as typo.example.com resolves to example.com in DNS


--
Jeremy



OpenPGP_signature
Description: OpenPGP digital signature

Re: how to setup IMAPs with letsencrypt

[Benny Pedersen]

On 2022-04-22 01:50, Jeremy Ardley wrote:

On 22/4/22 7:44 am, al...@coakmail.com wrote:


On 22/4/22 7:25 am, al...@coakmail.com wrote:


Thanks. I will give a try.
after enabling SSL, can I disable port 143 entirely?


Probably a bad idea. Many clients use STARTTTLS on port 143 rather
than TLS on port 993


keeping footprint of servers minimal risk is not a bad idea

Re: how to setup IMAPs with letsencrypt

[Joseph Tam]

I have setup website using letsencrypt for certification.
how can I setup IMAP to use this certs as well?


Make entries in /etc/dovecot/conf.d/10-ssl.conf

ssl = required

ssl_cert = 

Keep in mind the subject name (CN or SAN AltNames) of your certificate
must match your IMAP server name e.g. if your certificate is
made for "www.mydomain.com", you'll have to configure your IMAP
clients to also use "www.mydomain.com" as the IMAP server name.

This typically means the web and IMAP server must reside on the
same server, otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.

Joseph Tam 

Re: how to setup IMAPs with letsencrypt

[Jeremy Ardley]

On 22/4/22 7:44 am, al...@coakmail.com wrote:

On 22/4/22 7:25 am, al...@coakmail.com wrote:


Thanks. I will give a try.
after enabling SSL, can I disable port 143 entirely?

Probably a bad idea. Many clients use STARTTTLS on port 143 rather than 
TLS on port 993


--

Jeremy


OpenPGP_signature
Description: OpenPGP digital signature

Re: how to setup IMAPs with letsencrypt

[Benny Pedersen]

On 2022-04-22 01:44, al...@coakmail.com wrote:


Thanks. I will give a try.
after enabling SSL, can I disable port 143 entirely?


yes

Re: how to setup IMAPs with letsencrypt

[alice]

>
> On 22/4/22 7:25 am, al...@coakmail.com wrote:
>> hello
>>
>> I have setup website using letsencrypt for certification.
>> how can I setup IMAP to use this certs as well?
>>
>> Thank you.
>>
> Make entries in /etc/dovecot/conf.d/10-ssl.conf
>
> ssl = required
>
> ssl_cert =  ssl_key = 
>
> in /etc/dovecot/dovecot.conf or in /etc/dovecot/conf.d/10-ssl.conf
>
> put
>
> ssl_min_protocol = TLSv1.2
> ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
> ssl_prefer_server_ciphers = yes
>
> You can override the global ssl certificates for specific domains in
> /etc/dovecot/dovecot.conf
>


Thanks. I will give a try.
after enabling SSL, can I disable port 143 entirely?

Re: how to setup IMAPs with letsencrypt

[Jeremy Ardley]

On 22/4/22 7:25 am, al...@coakmail.com wrote:

hello

I have setup website using letsencrypt for certification.
how can I setup IMAP to use this certs as well?

Thank you.


Make entries in /etc/dovecot/conf.d/10-ssl.conf

ssl = required

ssl_cert = You can override the global ssl certificates for specific domains in 
/etc/dovecot/dovecot.conf


local special.example.com {
  protocol imap {
    ssl_cert = 

OpenPGP_signature
Description: OpenPGP digital signature

how to setup IMAPs with letsencrypt

[alice]

hello

I have setup website using letsencrypt for certification.
how can I setup IMAP to use this certs as well?

Thank you.

Re: Letsencrypt/OpenSSL test - Verify return code: 21

[Oscar del Rio]

On 2021-04-10 12:09 p.m., Brady Shea wrote:


I finally 'fixed' it myself by using the LE 'fullchain.pem' 
certificate as the location for the 'ssl_cert' entry (and chain.pem 
for the ca entry). Previously, it was using the normal cert.pem file 
location. This is still the way it's setup on the other older machine 
and still works fine. Changes-


|ssl_ca = 'fullchain.pem' should work) *ssl_cert = 
previously) ssl_key = 

/etc/letsencrypt/live/README:

`[cert name]/privkey.pem`  : the private key for your certificate.
`[cert name]/fullchain.pem`: the certificate file used in most server 
software.

`[cert name]/chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
`[cert name]/cert.pem` : will break many server configurations, and 
should not be used

 without reading further documentation

Re: Letsencrypt/OpenSSL test - Verify return code: 21

[Juri Haberland]

On 11/04/2021 01:04, @lbutlr wrote:
> On 10 Apr 2021, at 12:57, Juri Haberland  wrote:
>> On 10/04/2021 19:52, @lbutlr wrote:
>>> On 10 Apr 2021, at 09:55, B Shea  wrote:
 OpenSSL (Ubuntu default/repo version):  1.1.1f  31 Mar 2020
>>> 
>>> There have been a few critical patches to open SSL in the last year, 
>>> including a very important one to 1.1.1k just recently.
>>> 
>>> Not to do with your issue, but I suspect updating both openssl and Dovecot 
>>> are good first steps.
>> 
>> That is the version as distributed by Ubuntu with security fixes
>> backported as usual for most Linux distributions...
> 
> If the date is May 2020, then no, it hasn't.
> 
> As I said, there have been many patches since then, including one very 
> important one very recently (end of march, beginning of April).
> 

$ lsb_release --description
Description:Ubuntu 20.04.2 LTS
$ openssl version
OpenSSL 1.1.1f  31 Mar 2020
$ dpkg -l | grep openssl
ii  openssl1.1.1f-1ubuntu2.3 amd64Secure Sockets Layer
toolkit - cryptographic utility

$ zcat /usr/share/doc/openssl/changelog.Debian.gz | head -n 16
openssl (1.1.1f-1ubuntu2.3) focal-security; urgency=medium

  * SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
- debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
  ssl/statem/extensions.c.
- debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
  <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
- debian/patches/CVE-2021-3449-3.patch: add a test to
  test/recipes/70-test_renegotiation.t.
- debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
  always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
  ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
  ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
- CVE-2021-3449

 -- Marc Deslauriers   Mon, 22 Mar 2021
07:37:17 -0400


So yes, it is up-to-date.


Cheers,
  Juri

Re: Letsencrypt/OpenSSL test - Verify return code: 21

[@lbutlr]

On 10 Apr 2021, at 12:57, Juri Haberland  wrote:
> On 10/04/2021 19:52, @lbutlr wrote:
>> On 10 Apr 2021, at 09:55, B Shea  wrote:
>>> OpenSSL (Ubuntu default/repo version):  1.1.1f  31 Mar 2020
>> 
>> There have been a few critical patches to open SSL in the last year, 
>> including a very important one to 1.1.1k just recently.
>> 
>> Not to do with your issue, but I suspect updating both openssl and Dovecot 
>> are good first steps.
> 
> That is the version as distributed by Ubuntu with security fixes
> backported as usual for most Linux distributions...

If the date is May 2020, then no, it hasn't.

As I said, there have been many patches since then, including one very 
important one very recently (end of march, beginning of April).

-- 
Greedo didn't shoot first, motherfucker!

Re: Letsencrypt/OpenSSL test - Verify return code: 21

[Juri Haberland]

On 10/04/2021 19:52, @lbutlr wrote:
> On 10 Apr 2021, at 09:55, B Shea  wrote:
>> OpenSSL (Ubuntu default/repo version):  1.1.1f  31 Mar 2020
> 
> There have been a few critical patches to open SSL in the last year, 
> including a very important one to 1.1.1k just recently.
> 
> Not to do with your issue, but I suspect updating both openssl and Dovecot 
> are good first steps.

That is the version as distributed by Ubuntu with security fixes
backported as usual for most Linux distributions...


Kind regards,
  Juri

Re: Letsencrypt/OpenSSL test - Verify return code: 21

[@lbutlr]

On 10 Apr 2021, at 09:55, B Shea  wrote:
> OpenSSL (Ubuntu default/repo version):  1.1.1f  31 Mar 2020

There have been a few critical patches to open SSL in the last year, including 
a very important one to 1.1.1k just recently.

Not to do with your issue, but I suspect updating both openssl and Dovecot are 
good first steps.

-- 
what is magic actually for?
For fixing things, dummy.

Re: Letsencrypt/OpenSSL test - Verify return code: 21

[Aki Tuomi]

> On 10/04/2021 19:09 Brady Shea  wrote:
> 
> 
> OS: Ubuntu 20.04.2 (on mutli-core VM)
>  Dovecot (Ubuntu default/repo version): 2.3.7.2 (3c910f64b)
>  OpenSSL (Ubuntu default/repo version): 1.1.1f 31 Mar 2020
>  
>  Reproducing-
>  
>  Run: "openssl s_client -showcerts -connect imap.example.com:993 -servername 
> imap.example.com" (using a diff domain obviously)
>  
>  Produces error: "Verify return code: 21 (unable to verify the first 
> certificate)" (Meaning it is missing a CA verify from what I understand?)
>  
>  The "Verify return code: 21" error ONLY came to my attention after I had a 
> customer complain about adding an email account to an Android phone (using 
> the Google/Gmail default email app). -> "Certificate cannot be trusted" was 
> shown by app when verifying imap connection. I could force it to be used, but 
> this still bothered me, obviously. *The same certificate bundle is also used 
> by smtp/postifx and www/nginx and works just fine. Also the openssl test 
> shows 'verified' on both*
>  
>  I am posting to list mainly because on an older version of Dovecot I have 
> running (default repo version for Ubuntu 18), I do not have this problem 
> shown during testing with openssl. I did not have to change the ssl_cert or 
> ssl_ca value in config. It has identical local.conf settings other than that. 
> Granted it is also an older openssl version, too. So, I feel this may be a 
> bug with Dovecot (or possibly OpenSSL).
>  
>  I finally 'fixed' it myself by using the LE 'fullchain.pem' certificate as 
> the location for the 'ssl_cert' entry (and chain.pem for the ca entry). 
> Previously, it was using the normal cert.pem file location. This is still the 
> way it's setup on the other older machine and still works fine. Changes-
>  
>  |ssl_ca =  should work) *ssl_cert =  (was 'cert.pem' previously) ssl_key = 
>   
>  You can also view the problem here for more info : 
> https://superuser.com/a/1640778/47628
>  
>  Thanks ahead for any insight into this..
>  
>  
>  

In 2.2 it was an unfortunate mistake that ssl_ca was concatenated with 
ssl_cert. In 2.3 this was fixed to work as it should, as in, ssl_ca is used to 
*verify* incoming connections and ssl_cert needs to contain the full chain 
certificate.

Aki

Letsencrypt/OpenSSL test - Verify return code: 21

[Brady Shea]

OS: Ubuntu 20.04.2 (on mutli-core VM)
Dovecot (Ubuntu default/repo version):  2.3.7.2 (3c910f64b)
OpenSSL (Ubuntu default/repo version):  1.1.1f  31 Mar 2020

Reproducing-

Run:  "openssl s_client -showcerts -connect imap.example.com:993 
-servername imap.example.com" (using a diff domain obviously)


Produces error: "Verify return code: 21 (unable to verify the first 
certificate)" (Meaning it is missing a CA verify from what I understand?)


The "Verify return code: 21" error ONLY came to my attention after I had 
a customer complain about adding an email account to an Android phone 
(using the Google/Gmail default email app). -> "Certificate cannot be 
trusted" was shown by app when verifying imap connection. I could force 
it to be used, but this still bothered me, obviously. *The same 
certificate bundle is also used by smtp/postifx and www/nginx and works 
just fine. Also the openssl test shows 'verified' on both*


I am posting to list mainly because on an older version of Dovecot I 
have running (default repo version for Ubuntu 18), I do not have this 
problem shown during testing with openssl. I did not have to change the 
ssl_cert or ssl_ca value in config. It has identical local.conf settings 
other than that. Granted it is also an older openssl version, too. So, I 
feel this may be a bug with Dovecot (or possibly OpenSSL).


I finally 'fixed' it myself by using the LE 'fullchain.pem' certificate 
as the location for the 'ssl_cert' entry (and chain.pem for the ca 
entry). Previously, it was using the normal cert.pem file location. This 
is still the way it's setup on the other older machine and still works 
fine. Changes-


|ssl_ca = 'fullchain.pem' should work) *ssl_cert = 
previously) ssl_key = 

You can also view the problem here for more info : 
https://superuser.com/a/1640778/47628


Thanks ahead for any insight into this..

Letsencrypt/OpenSSL test - Verify return code: 21

[B Shea]

OS: Ubuntu 20.04.2 (on mutli-core VM)
Dovecot (Ubuntu default/repo version):  2.3.7.2 (3c910f64b)
OpenSSL (Ubuntu default/repo version):  1.1.1f  31 Mar 2020

Reproducing-

Run:  "openssl s_client -showcerts -connect imap.example.com:993 
-servername imap.example.com" (using a diff domain obviously)


Produces error: "Verify return code: 21 (unable to verify the first 
certificate)" (Meaning it is missing a CA verify from what I understand?)


The "Verify return code: 21" error ONLY came to my attention after I had 
a customer complain about adding an email account to an Android phone 
(using the Google/Gmail default email app). -> "Certificate cannot be 
trusted" was shown by app when verifying imap connection. I could force 
it to be used, but this still bothered me, obviously. *The same 
certificate bundle is also used by smtp/postifx and www/nginx and works 
just fine. Also the openssl test shows 'verified' on both*


I am posting to list mainly because on an older version of Dovecot I 
have running (default repo version for Ubuntu 18), I do not have this 
problem shown during testing with openssl. I did not have to change the 
ssl_cert or ssl_ca value in config. It has identical local.conf settings 
other than that. Granted it is also an older openssl version, too. So, I 
feel this may be a bug with Dovecot (or possibly OpenSSL).


I finally 'fixed' it myself by using the LE 'fullchain.pem' certificate 
as the location for the 'ssl_cert' entry (and chain.pem for the ca 
entry). Previously, it was using the normal cert.pem file location. This 
is still the way it's setup on the other older machine and still works 
fine. Changes-


|ssl_ca = 'fullchain.pem' should work) *ssl_cert = 
previously) ssl_key = 

You can also view the problem here for more info : 
https://superuser.com/a/1640778/47628


Thanks ahead for any insight into this..

Re: Letsencrypt certificate for repo.dovecot.org expired May 14th..

[Aki Tuomi]

So it seems. Guess our certbot does not support post hook directories,
since it's not executing the hooks there.

Aki


On 12.09.2018 08:56, B. Reino wrote:
>
> FYI, it happened again :)
>
> On July 15, 2018 10:49:08 AM GMT+02:00, "B. Reino"  wrote:
>> Dear Aki,
>>
>> I think the renewal failed again. The SSL certificate expired Saturday,
>>
>> 14 July 2018.
>>
>> This affects (at least) the repo.dovecot.org website and debian 
>> repository.
>>
>> Thanks,
>> Bernardo.
>>
>> On 2018-05-15 08:15, Aki Tuomi wrote:
>>> On 15.05.2018 09:14, B. Reino wrote:
 Dear all,

 Just in case you've missed it, the certificate for repo.dovecot.org
 just expired yesterday.

 This causes errors in e.g. apt-get update.

 Thanks in advance for fixing it,

 --
 B. Reino
>>> Seems something went wrong during deployment, thanks. It's fixed now.
>>>
>>> Aki

Re: Letsencrypt certificate for repo.dovecot.org expired May 14th..

[B. Reino]

FYI, it happened again :)

On July 15, 2018 10:49:08 AM GMT+02:00, "B. Reino"  wrote:
>Dear Aki,
>
>I think the renewal failed again. The SSL certificate expired Saturday,
>
>14 July 2018.
>
>This affects (at least) the repo.dovecot.org website and debian 
>repository.
>
>Thanks,
>Bernardo.
>
>On 2018-05-15 08:15, Aki Tuomi wrote:
>> On 15.05.2018 09:14, B. Reino wrote:
>>> Dear all,
>>> 
>>> Just in case you've missed it, the certificate for repo.dovecot.org
>>> just expired yesterday.
>>> 
>>> This causes errors in e.g. apt-get update.
>>> 
>>> Thanks in advance for fixing it,
>>> 
>>> --
>>> B. Reino
>> 
>> Seems something went wrong during deployment, thanks. It's fixed now.
>> 
>> Aki

Re: Letsencrypt certificate for repo.dovecot.org expired May 14th..

[DurgaPrasad - DatasoftComnet]

:)

Rgds/DP
9849111010 

Sent from my iPhone. Pls excuse brevity and typos if any. 

> On 15-Jul-2018, at 5:00 PM, Aki Tuomi  wrote:
> 
> certbot clearly hates me
> 
> ---
> Aki Tuomi
> Dovecot oy
> 
>  Original message 
> From: "B. Reino" 
> Date: 15/07/2018 11:49 (GMT+02:00)
> To: Aki Tuomi 
> Cc: Dovecot Mailing List 
> Subject: Re: Letsencrypt certificate for repo.dovecot.org expired May 14th..
> 
> Dear Aki,
> 
> I think the renewal failed again. The SSL certificate expired Saturday, 
> 14 July 2018.
> 
> This affects (at least) the repo.dovecot.org website and debian 
> repository.
> 
> Thanks,
> Bernardo.
> 
> On 2018-05-15 08:15, Aki Tuomi wrote:
> > On 15.05.2018 09:14, B. Reino wrote:
> >> Dear all,
> >> 
> >> Just in case you've missed it, the certificate for repo.dovecot.org
> >> just expired yesterday.
> >> 
> >> This causes errors in e.g. apt-get update.
> >> 
> >> Thanks in advance for fixing it,
> >> 
> >> --
> >> B. Reino
> > 
> > Seems something went wrong during deployment, thanks. It's fixed now.
> > 
> > Aki

Re: Letsencrypt certificate for repo.dovecot.org expired May 14th..

[Aki Tuomi]

certbot clearly hates me
---Aki TuomiDovecot oy
 Original message From: "B. Reino"  Date: 
15/07/2018  11:49  (GMT+02:00) To: Aki Tuomi  Cc: Dovecot 
Mailing List  Subject: Re: Letsencrypt certificate for 
repo.dovecot.org expired May 14th.. 
Dear Aki,

I think the renewal failed again. The SSL certificate expired Saturday, 
14 July 2018.

This affects (at least) the repo.dovecot.org website and debian 
repository.

Thanks,
Bernardo.

On 2018-05-15 08:15, Aki Tuomi wrote:
> On 15.05.2018 09:14, B. Reino wrote:
>> Dear all,
>> 
>> Just in case you've missed it, the certificate for repo.dovecot.org
>> just expired yesterday.
>> 
>> This causes errors in e.g. apt-get update.
>> 
>> Thanks in advance for fixing it,
>> 
>> --
>> B. Reino
> 
> Seems something went wrong during deployment, thanks. It's fixed now.
> 
> Aki

Re: Letsencrypt certificate for repo.dovecot.org expired May 14th..

[B. Reino]

Dear Aki,

I think the renewal failed again. The SSL certificate expired Saturday, 
14 July 2018.


This affects (at least) the repo.dovecot.org website and debian 
repository.


Thanks,
Bernardo.

On 2018-05-15 08:15, Aki Tuomi wrote:

On 15.05.2018 09:14, B. Reino wrote:

Dear all,

Just in case you've missed it, the certificate for repo.dovecot.org
just expired yesterday.

This causes errors in e.g. apt-get update.

Thanks in advance for fixing it,

--
B. Reino


Seems something went wrong during deployment, thanks. It's fixed now.

Aki

Re: Letsencrypt certificate for repo.dovecot.org expired May 14th..

[B. Reino]

On Tue, 15 May 2018, Aki Tuomi wrote:


On 15.05.2018 09:14, B. Reino wrote:

Dear all,

Just in case you've missed it, the certificate for repo.dovecot.org
just expired yesterday.

This causes errors in e.g. apt-get update.

Thanks in advance for fixing it,

--
B. Reino


Seems something went wrong during deployment, thanks. It's fixed now.

Aki



Yup, working fine now :)

Thanks!

Re: Letsencrypt certificate for repo.dovecot.org expired May 14th..

[Aki Tuomi]

On 15.05.2018 09:14, B. Reino wrote:
> Dear all,
>
> Just in case you've missed it, the certificate for repo.dovecot.org
> just expired yesterday.
>
> This causes errors in e.g. apt-get update.
>
> Thanks in advance for fixing it,
>
> -- 
> B. Reino

Seems something went wrong during deployment, thanks. It's fixed now.

Aki

Letsencrypt certificate for repo.dovecot.org expired May 14th..

[B. Reino]

Dear all,

Just in case you've missed it, the certificate for repo.dovecot.org just 
expired yesterday.


This causes errors in e.g. apt-get update.

Thanks in advance for fixing it,

--
B. Reino

Re: Dovecot and Letsencrypt certs

[Robert Wolf]

On Wed, 13 Sep 2017, Luigi Rosa wrote:

> Robert Wolf wrote on 13/09/2017 10:26:
> 
> > are you sure? What is the refresh time? Instantly or with some delay? Have
> > you
> > tested what happens if I install new key, but I delay installing correct
> > certificate? Does postfix keep the old key+cert or stop using any cert
> > because
> > the new key is not correct for the current(old) certificate?
> > 
> > On my postfix 2.9.6 on debian wheezy 7 and postfix 2.11.3 on debian jessie 8
> > I
> > have to reload postfix. Postfix can use the same key+cert even if I deleted
> > these files.
> 
> Two days ago Viktor Dukhovni wrote on Postfix ML:
> 
> /*
> If you run certbot often enough to renew well in advance of expiration,
> reloads of Postfix are unnecessary, and just needlessly interrupt orderly
> processing of email by the queue manager.  Usually the new certificate will
> be automatically in use within "$max_idle * $max_use" seconds, and typically
> sooner, because processes either idle out quickly or reach the re-use limit
> quickly, handling $max_use connections that are exactly $max_idle apart is
> rather unlikely  By default that's 1 seconds or just under 3 hours.
> */


Hi Luigi,

you are right! The smtpd process really start using new certificate+key after 
this timeout (tested with max_use=1). OK, I thought it works similar as rsync 
daemon: the config file is read on new connection, because it starts new 
process. Similarly, the postfix master process starts the smtpd processes and 
they read config and cert+key again. It's clear now.

Still, I prefer to do reload if required and not wait until some timeout 
expires. And e.g. getssl client can check, if the certificate was correctly 
installed. And for this check it needs to run "reload".

And I prefer reload cert+key manually instead of automatically to be sure, WHEN 
it will be done.

So I am ok with dovecot to load cert+key on start and reload:-)


Regards,

Robert.

Re: Dovecot and Letsencrypt certs

[Luigi Rosa]

Robert Wolf wrote on 13/09/2017 10:26:


are you sure? What is the refresh time? Instantly or with some delay? Have you
tested what happens if I install new key, but I delay installing correct
certificate? Does postfix keep the old key+cert or stop using any cert because
the new key is not correct for the current(old) certificate?

On my postfix 2.9.6 on debian wheezy 7 and postfix 2.11.3 on debian jessie 8 I
have to reload postfix. Postfix can use the same key+cert even if I deleted
these files.


Two days ago Viktor Dukhovni wrote on Postfix ML:

/*
If you run certbot often enough to renew well in advance of expiration,
reloads of Postfix are unnecessary, and just needlessly interrupt orderly
processing of email by the queue manager.  Usually the new certificate will
be automatically in use within "$max_idle * $max_use" seconds, and typically
sooner, because processes either idle out quickly or reach the re-use limit
quickly, handling $max_use connections that are exactly $max_idle apart is
rather unlikely  By default that's 1 seconds or just under 3 hours.
*/




--


Ciao,
luigi

/
+--[Luigi Rosa]--
\

Statistics: The only science that enables different experts using the same
figures to draw different conclusions.
--Evan Esar

Re: Dovecot and Letsencrypt certs

[Robert Wolf]

On Tue, 12 Sep 2017, Daniel Miller wrote:

> And remove that "postfix reload" command - Postfix doesn't require explicit
> reloading. It'll pickup the changed cert automagically.
> 
> Daniel


Hoi Daniel,

are you sure? What is the refresh time? Instantly or with some delay? Have you 
tested what happens if I install new key, but I delay installing correct 
certificate? Does postfix keep the old key+cert or stop using any cert because 
the new key is not correct for the current(old) certificate?

On my postfix 2.9.6 on debian wheezy 7 and postfix 2.11.3 on debian jessie 8 I 
have to reload postfix. Postfix can use the same key+cert even if I deleted 
these files.


Reagrds,

Robert.

Re: Dovecot and Letsencrypt certs

[Adi Pircalabu]

On 13/09/2017 05:31, Joseph Tam wrote:

On Tue, 12 Sep 2017, dovecot-request wrote:


What's wrong with using a certbot "post-hook" script such as:

#!/bin/bash
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"

if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then
??? /usr/local/sbin/dovecot reload
?? /usr/sbin/postfix reload
fi


Nothing, if you let your certbot run as root.  (I'm assuming that's
how these hooks work -- it's called after cert renewal using the same
credentials as the certbot.)

If you use privilege separation, and run the certbot as a regular user
process, this won't work.  You might have this scenario if, for example
using the context of web serving, you serve many virtual sites with
different owners, and you don't want give each owner administrative
access.


There are options when running certbot as non-privileged user, such as 
sudo, inotifywait -s -e modify /path/to/bundle.pem && doveadm reload and 
so on.


--
Adi Pircalabu

Re: Dovecot and Letsencrypt certs

[Joseph Tam]

On Tue, 12 Sep 2017, dovecot-requ...@dovecot.org wrote:


What's wrong with using a certbot "post-hook" script such as:

#!/bin/bash
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"

if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then
??? /usr/local/sbin/dovecot reload
?? /usr/sbin/postfix reload
fi


Nothing, if you let your certbot run as root.  (I'm assuming that's
how these hooks work -- it's called after cert renewal using the same
credentials as the certbot.)

If you use privilege separation, and run the certbot as a regular user
process, this won't work.  You might have this scenario if, for example
using the context of web serving, you serve many virtual sites with
different owners, and you don't want give each owner administrative
access.

Joseph Tam <jtam.h...@gmail.com>

Re: Dovecot and Letsencrypt certs

[Daniel Miller]

And remove that "postfix reload" command - Postfix doesn't require 
explicit reloading. It'll pickup the changed cert automagically.


Daniel

On 9/12/2017 9:26 AM, Daniel Miller wrote:

What's wrong with using a certbot "post-hook" script such as:

#!/bin/bash
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"

if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then
    /usr/local/sbin/dovecot reload
   /usr/sbin/postfix reload
fi

Daniel

On 9/11/2017 1:57 PM, Joseph Tam wrote:

<mas...@remort.net> writes:


"writing a script to check the certs" - there is no need to write any
scripts. As one mentioned, it's done by a hook to certbot. Please read
the manuals for LE or certbot. The issue you have is quite common and
of course certbot designed to do it for you.


Won't work, of course, if you employ the least-privilege security 
principle

and run the certbot as a non-privileged user.  You'll need a script with
administrator privileges to detect cert renewals and restart the 
service.


I can't willy-nilly restart dovecot to pick up renewed certs without
webmail disruptions.  (My webmail uses persistent IMAP sessions.)
All users get dumped and need to re-authenticate.  If a user happens to
be drafting a message that took 2 hours to compose, I will surely hear
about it.  I should probably install a IMAP proxy to isolate the effects
of restarts.  Most mail readers cope with restarts just fine, though.

Joseph Tam <jtam.h...@gmail.com>

Re: Dovecot and Letsencrypt certs

[Daniel Miller]

What's wrong with using a certbot "post-hook" script such as:

#!/bin/bash
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"

if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then
    /usr/local/sbin/dovecot reload
   /usr/sbin/postfix reload
fi

Daniel

On 9/11/2017 1:57 PM, Joseph Tam wrote:

<mas...@remort.net> writes:


"writing a script to check the certs" - there is no need to write any
scripts. As one mentioned, it's done by a hook to certbot. Please read
the manuals for LE or certbot. The issue you have is quite common and
of course certbot designed to do it for you.


Won't work, of course, if you employ the least-privilege security 
principle

and run the certbot as a non-privileged user.  You'll need a script with
administrator privileges to detect cert renewals and restart the service.

I can't willy-nilly restart dovecot to pick up renewed certs without
webmail disruptions.  (My webmail uses persistent IMAP sessions.)
All users get dumped and need to re-authenticate.  If a user happens to
be drafting a message that took 2 hours to compose, I will surely hear
about it.  I should probably install a IMAP proxy to isolate the effects
of restarts.  Most mail readers cope with restarts just fine, though.

Joseph Tam <jtam.h...@gmail.com>

Re: Dovecot and Letsencrypt certs

[Joseph Tam]

 writes:


"writing a script to check the certs" - there is no need to write any
scripts. As one mentioned, it's done by a hook to certbot. Please read
the manuals for LE or certbot. The issue you have is quite common and
of course certbot designed to do it for you.


Won't work, of course, if you employ the least-privilege security principle
and run the certbot as a non-privileged user.  You'll need a script with
administrator privileges to detect cert renewals and restart the service.

I can't willy-nilly restart dovecot to pick up renewed certs without
webmail disruptions.  (My webmail uses persistent IMAP sessions.)
All users get dumped and need to re-authenticate.  If a user happens to
be drafting a message that took 2 hours to compose, I will surely hear
about it.  I should probably install a IMAP proxy to isolate the effects
of restarts.  Most mail readers cope with restarts just fine, though.

Joseph Tam 

Re: Dovecot and Letsencrypt certs

[Arkadiusz Miśkiewicz]

On Friday 08 of September 2017, Ralph Seichter wrote:
> On 08.09.2017 16:20, LuKreme wrote:

> > However, it seems like checking the certs is something that dovecot
> > should be doing on its own.
> 
> What is Dovecot supposed to do? Keep track of the certificate expiry
> date? 

That was already discussed but due to other reason. dovecot shouldn't load SSL 
certificates into memory and instead open  & load cert on demand (when client 
connects and requests particular domain via SNI (or default if no SNI)).

Why? Because dovecot *cannot* handle thousands of virtual domains and SSL 
certificates for these. It wastes so much RAM and timeouts on reloads in such 
case. Tested here. [1]

That's why the only sensible solution is to work like exim - load cert from 
disk on demand.

That fixes both problems - ram wasting/timeouts and refreshing certificates.


> -Ralph

1. https://dovecot.org/list/dovecot/2016-October/105855.html

-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Re: Dovecot and Letsencrypt certs

[Bill Shirley]

Oh, also I removed the '2>1> /dev/null' from the acme.sh crontab entry so that
it will always send an email; and entered this in sieve:
# --- let's encrypt ---
if header :contains "subject" "acme.sh" {
  if body :regex "Error[[:space:]]+renew" {
#    redirect :copy "b...@example.com";
    addflag "$label1";    # Thunderbird red
    stop;
  }
  if body :regex "-BEGIN CERTIFICATE-" {
#    redirect :copy "b...@example.com";
    addflag "$label4";    # Thunderbird blue
    stop;
  }
  fileinto "AASystemAdministration.Cron.certificate";
  stop;
}
The redirect :copy I enable for my other servers to forward a copy
to me.

HTH,
BIll


On 9/9/2017 3:16 PM, Bill Shirley wrote:

If you're using acme.sh:
acme.sh --installcert -d imap.example.com \
  --keypath /etc/pki/dovecot/private/imap.example.com.pem \
  --certpath /etc/pki/dovecot/certs/imap.example.com.crt \
  --fullchainpath /etc/pki/dovecot/certs/imap.example.com.full.chain.crt \
  --reloadcmd    "systemctl reload dovecot.service"

HTH,
Bill

On 9/8/2017 9:56 AM, Darac Marjal wrote:

On Fri, Sep 08, 2017 at 06:47:25AM -0600, @lbutlr wrote:

So this morning at 4am I was awoken to my mail clients getting certificate 
errors for an expired certificate.

I hopped on to the server and checked and… no, the LE certs renewed last month 
and are valid until November.

After some moments of confusion I noticed that dovecot had been running since before the renewal, so I did a quick service 
dovecot restart which fixed everything.


Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the 
newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files?


As you're using dehydrated, I can share what I do. My hook script basically calls "run-parts /etc/dehydrated/hooks.d/" so I 
can just drop hook scripts into that directory. Then in the hooks.d directory, I have the following:


#!/bin/bash

set -e
set -u
set -o pipefail

if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then
    echo " + Hook: Restarting Dovecot..."
    /usr/sbin/service dovecot restart
fi

That means that dovecot will be restarted only if the certificate for the mail server is being deployed. If dehydrated runs, 
but fails to renew the certificate, then dovecot won't be restarted. Similarly, if it renews a different certificate, dovecot 
won't be restarted.


Hope that helps.




Should I just create a monthly cron to restart dovecot or is there something 
else?

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: Dovecot and Letsencrypt certs

[Bill Shirley]

If you're using acme.sh:
acme.sh --installcert -d imap.example.com \
  --keypath /etc/pki/dovecot/private/imap.example.com.pem \
  --certpath /etc/pki/dovecot/certs/imap.example.com.crt \
  --fullchainpath /etc/pki/dovecot/certs/imap.example.com.full.chain.crt \
  --reloadcmd    "systemctl reload dovecot.service"

HTH,
Bill

On 9/8/2017 9:56 AM, Darac Marjal wrote:

On Fri, Sep 08, 2017 at 06:47:25AM -0600, @lbutlr wrote:

So this morning at 4am I was awoken to my mail clients getting certificate 
errors for an expired certificate.

I hopped on to the server and checked and… no, the LE certs renewed last month 
and are valid until November.

After some moments of confusion I noticed that dovecot had been running since before the renewal, so I did a quick service 
dovecot restart which fixed everything.


Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the 
newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files?


As you're using dehydrated, I can share what I do. My hook script basically calls "run-parts /etc/dehydrated/hooks.d/" so I 
can just drop hook scripts into that directory. Then in the hooks.d directory, I have the following:


#!/bin/bash

set -e
set -u
set -o pipefail

if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then
    echo " + Hook: Restarting Dovecot..."
    /usr/sbin/service dovecot restart
fi

That means that dovecot will be restarted only if the certificate for the mail server is being deployed. If dehydrated runs, 
but fails to renew the certificate, then dovecot won't be restarted. Similarly, if it renews a different certificate, dovecot 
won't be restarted.


Hope that helps.




Should I just create a monthly cron to restart dovecot or is there something 
else?

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: Dovecot and Letsencrypt certs

[Вадим Бажов]

"writing a script to check the certs" - there is no need to write any
scripts. As one mentioned, it's done by a hook to certbot. Please read
the manuals for LE or certbot. The issue you have is quite common and
of course certbot designed to do it for you.
The manual: https://certbot.eff.org/docs/using.html#renewing-certificates.
Thats it. Problem solved.

2017-09-09 0:18 GMT+05:00 @lbutlr :
> On 08 Sep 2017, at 12:21, Ralph Seichter  wrote:
>> On 08.09.2017 19:51, @lbutlr wrote:
>>> How I would do it is IF the certificate is expired, the dovecot should
>>> check if there is a new cert and if so, load it.
>
>> New cert as in file modification date or checksum changed?
>
> Either one, but checksum is going to be more reliable.
>
>> Might work. Still, from what I seem to remember, Dovecot loads certificate 
>> data before dropping privileges, which is why reloading the data might be 
>> problematic without some changes.
>
> Can't dovecot reload itself? That could be a problem if not.
>
>> Not worth spending development effort on, IMO, given that Dovecot can easily 
>> be restarted by the external processes that update the cert (like Certbot 
>> hook, Ansible, etc.).
>
> All I'm saying is that it's a failure event that doesn't need to occur.
>
> --
> Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: Dovecot and Letsencrypt certs

[@lbutlr]

On 08 Sep 2017, at 12:21, Ralph Seichter  wrote:
> On 08.09.2017 19:51, @lbutlr wrote:
>> How I would do it is IF the certificate is expired, the dovecot should
>> check if there is a new cert and if so, load it.

> New cert as in file modification date or checksum changed?

Either one, but checksum is going to be more reliable.

> Might work. Still, from what I seem to remember, Dovecot loads certificate 
> data before dropping privileges, which is why reloading the data might be 
> problematic without some changes.

Can't dovecot reload itself? That could be a problem if not.

> Not worth spending development effort on, IMO, given that Dovecot can easily 
> be restarted by the external processes that update the cert (like Certbot 
> hook, Ansible, etc.).

All I'm saying is that it's a failure event that doesn't need to occur.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: Dovecot and Letsencrypt certs

[Ralph Seichter]

On 08.09.2017 19:51, @lbutlr wrote:

> How I would do it is IF the certificate is expired, the dovecot should
> check if there is a new cert and if so, load it.

New cert as in file modification date or checksum changed? Might work.
Still, from what I seem to remember, Dovecot loads certificate data
before dropping privileges, which is why reloading the data might be
problematic without some changes. Not worth spending development effort
on, IMO, given that Dovecot can easily be restarted by the external
processes that update the cert (like Certbot hook, Ansible, etc.).

-Ralph

Re: Dovecot and Letsencrypt certs

[@lbutlr]

On 08 Sep 2017, at 09:28, Вадим Бажов  wrote:
> "I think it’s probably easier to just kick dovecot once a month." -
> that's not good from system administration's point of view. You can
> get into trouble when certificate is renewed but dovecot isn't
> reloaded yet.

That's simply not possible. The cert renews well before it expires.

> "it seems like checking the certs is something that dovecot should be
> doing on its own" if dovecot loads it in memory, it shouldn't reread
> certificates.

Of course it should because certs are DESIGNED to expire and MUST expire, and 
dovecot certainly has the ability to see when the cert expires.

> Why to take servers resources just 'because of something
> may be changed'

Something WILL be changed, absolutely certain of that. All certs expire.

> restarting dovecot with no need ?

restarting/reloading dovecot is trivial and takes far less time than writing a 
script to check the certs and then creating a crontab for that which also gives 
a tertiary point of failure.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: Dovecot and Letsencrypt certs

[Ralph Seichter]

On 08.09.2017 16:20, LuKreme wrote:

> That is a great solution, but I think it’s probably easier to just
> kick dovecot once a month.

Certbot hooks are very easy to write, and are only executed when the
certificate is updated. In that light, I can see no advantage in "kick
dovecot once a month". ;-)

> However, it seems like checking the certs is something that dovecot
> should be doing on its own.

What is Dovecot supposed to do? Keep track of the certificate expiry
date? And if that is passed, then what? Automatically shutdown/restart?
What if the certificate has not been updated in between? I think that
handling certificates is better left to the administrator.

-Ralph

Re: Dovecot and Letsencrypt certs

[Вадим Бажов]

"I think it’s probably easier to just kick dovecot once a month." -
that's not good from system administration's point of view. You can
get into trouble when certificate is renewed but dovecot isn't
reloaded yet. And, doing something via cron just by-guess, once a
month - is a no no logic.
"it seems like checking the certs is something that dovecot should be
doing on its own" if dovecot loads it in memory, it shouldn't reread
certificates. Why to take servers resources just 'because of something
may be changed' restarting dovecot with no need ?
And, never do restart if reload suits your needs. But check it first,
if reload action rereads certificate from file system.

2017-09-08 19:20 GMT+05:00 LuKreme :
> On Sep 8, 2017, at 07:56, Darac Marjal  wrote:
>>  #!/bin/bash
>>
>>set -e
>>set -u
>>set -o pipefail
>>
>>if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then
>>echo " + Hook: Restarting Dovecot..."
>>/usr/sbin/service dovecot restart
>>fi
>>
>> That means that dovecot will be restarted only if the certificate for the 
>> mail server is being deployed. If dehydrated runs, but fails to renew the 
>> certificate, then dovecot won't be restarted. Similarly, if it renews a 
>> different certificate, dovecot won't be restarted.
>
> That is a great solution, but I think it’s probably easier to just kick 
> dovecot once a month.
>
> 4 4 4 * * service dovecot restart
>
> However, it seems like checking the certs is something that dovecot should be 
> doing on its own.
>
> --
> This is my signature. There are many like it, but this one is mine.

Re: Dovecot and Letsencrypt certs

[LuKreme]

On Sep 8, 2017, at 07:56, Darac Marjal  wrote:
>  #!/bin/bash
> 
>set -e
>set -u
>set -o pipefail
>
>if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then
>echo " + Hook: Restarting Dovecot..."
>/usr/sbin/service dovecot restart
>fi
> 
> That means that dovecot will be restarted only if the certificate for the 
> mail server is being deployed. If dehydrated runs, but fails to renew the 
> certificate, then dovecot won't be restarted. Similarly, if it renews a 
> different certificate, dovecot won't be restarted.

That is a great solution, but I think it’s probably easier to just kick dovecot 
once a month.

4 4 4 * * service dovecot restart

However, it seems like checking the certs is something that dovecot should be 
doing on its own.

-- 
This is my signature. There are many like it, but this one is mine.

Re: Dovecot and Letsencrypt certs

[Darac Marjal]

On Fri, Sep 08, 2017 at 06:47:25AM -0600, @lbutlr wrote:

So this morning at 4am I was awoken to my mail clients getting certificate 
errors for an expired certificate.

I hopped on to the server and checked and… no, the LE certs renewed last month 
and are valid until November.

After some moments of confusion I noticed that dovecot had been running since 
before the renewal, so I did a quick service dovecot restart which fixed 
everything.

Should dovecot check for certs being refreshed? Or is this an artifact of my 
using symbolic links everywhere to point to the newest LE certs (which are 
themselves links the dehydrate script creates to point to the newest 
cert-1502534746.csr etc files?


As you're using dehydrated, I can share what I do. My hook script 
basically calls "run-parts /etc/dehydrated/hooks.d/" so I can just drop 
hook scripts into that directory. Then in the hooks.d directory, I have 
the following:


#!/bin/bash

set -e
set -u
set -o pipefail

if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then
echo " + Hook: Restarting Dovecot..."
/usr/sbin/service dovecot restart
fi

That means that dovecot will be restarted only if the certificate for the 
mail server is being deployed. If dehydrated runs, but fails to renew 
the certificate, then dovecot won't be restarted. Similarly, if it 
renews a different certificate, dovecot won't be restarted.


Hope that helps.




Should I just create a monthly cron to restart dovecot or is there something 
else?

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.


--
For more information, please reread.


signature.asc
Description: PGP signature

Re: Dovecot and Letsencrypt certs

[Eduardo M KALINOWSKI]

On 08-09-2017 09:47, @lbutlr wrote:
> Should dovecot check for certs being refreshed? Or is this an artifact of my 
> using symbolic links everywhere to point to the newest LE certs (which are 
> themselves links the dehydrate script creates to point to the newest 
> cert-1502534746.csr etc files?
>
> Should I just create a monthly cron to restart dovecot or is there something 
> else?
Dovecot needs a restart after the certificate is changed. certbot allows
you to define hooks to be run after a certificate is renewed, so you
could use that feature to restart dovecot after the renewal. Other
clients might have similar features.

-- 
While you recently had your problems on the run, they've regrouped and
are making another attack.

Eduardo M KALINOWSKI
edua...@kalinowski.com.br

Re: Dovecot and Letsencrypt certs

[Вадим Бажов]

Dovecot seems to load certificates into memory and don't refresh them
until restart, or may be reload. And this is a correct logic. You
better add restart/reload task to the LE cron job after the successful
renewal of LE certificate.
Check that it really works as it should.
Dovecot shouldn't be restarted/reloaded if certificate wasn't changed.

2017-09-08 17:47 GMT+05:00 @lbutlr :
> So this morning at 4am I was awoken to my mail clients getting certificate 
> errors for an expired certificate.
>
> I hopped on to the server and checked and… no, the LE certs renewed last 
> month and are valid until November.
>
> After some moments of confusion I noticed that dovecot had been running since 
> before the renewal, so I did a quick service dovecot restart which fixed 
> everything.
>
> Should dovecot check for certs being refreshed? Or is this an artifact of my 
> using symbolic links everywhere to point to the newest LE certs (which are 
> themselves links the dehydrate script creates to point to the newest 
> cert-1502534746.csr etc files?
>
> Should I just create a monthly cron to restart dovecot or is there something 
> else?
>
> --
> Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Dovecot and Letsencrypt certs

[@lbutlr]

So this morning at 4am I was awoken to my mail clients getting certificate 
errors for an expired certificate.

I hopped on to the server and checked and… no, the LE certs renewed last month 
and are valid until November.

After some moments of confusion I noticed that dovecot had been running since 
before the renewal, so I did a quick service dovecot restart which fixed 
everything.

Should dovecot check for certs being refreshed? Or is this an artifact of my 
using symbolic links everywhere to point to the newest LE certs (which are 
themselves links the dehydrate script creates to point to the newest 
cert-1502534746.csr etc files?

Should I just create a monthly cron to restart dovecot or is there something 
else?

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: letsencrypt

[Mark Constable]

On 04/03/17 04:07, David Mehler wrote:

With the web it was easy just let apache serve the token that
letsencrypt needed and I got certificates. How do I do this with
regards email?


I know there have been some answers to this already but FWIW I use
dehydrated directly from Github and this script sets it up as well
as creates a pem version for mail hosts...

https://raw.githubusercontent.com/markc/sh/master/bin/newssl

Just change WPATH, VCONF and the nginx server snippet then reload
apache instead of nginx.

Then put a slightly modified version of this on a monthly cronjob...

https://raw.githubusercontent.com/markc/sh/master/bin/allssl

Re: letsencrypt

[Joseph Tam]

Thanks. Is there another way of doing this? I've got a web server
running on 80 and 443. Are there any other options?


I'm getting this list in digest mode, so it's possible by the time this
gets to you, I will have repeated someone else' suggestion.

In this situation, where your dovecot server lives on the same host as a
web server (wembail?), and this web server is already going certificate
renewal, then just change the certificate to use SNI extension and add
all LS services that live on this host.  (This does not count as a cert
renewal, but a new cert).

(E.g. if you are using a certbot to get a certifiticate for
"webmail.mydomain", then add "pop3.mydomain", "imap.mydomain" and
"smtp.mydomain" to the certificate.)

Your web server will have to virtually host those domains for the purposes
of mapping the token pickup folder.  Then you can use the same certificate
for all TLS services hosted on that server.

Joseph Tam 

Re: letsencrypt

[Jeff Kletsky]

You can either drop the authentication token into /.wellknown on your
running server, or take down the server for a minute to run certbot
every couple months.

I'm not a fan of symlinks out of config directories and certainly not
across chroot / jail boundaries so I manually copy the certs into the
a subdirectory of the dovecot config directory.

Here's the segment from my local.conf file. The notes on permission
choices are mine and are stronger than many suggest.

---

# Preferred permissions: root:wheel 0444
ssl_cert = /fullchain.pem

# Preferred permissions: root:wheel 0400
ssl_key = /privkey.pem

---

FreeBSD uses a different directory structure than most Linux-based
systems, so the path to the dovecot config directory may be different
for you.

I didn't ever find any documentation of the 'var = 

Re: letsencrypt

[Joseph Tam]

David Mehler <dave.meh...@gmail.com> writes:


I'm wanting letsencrypt to take over as my CA, replacing existing self
signed certificates. I've got web working, a certificate for https
sites and one for webmail as they have different names. What I'm now
wanting to do is get letsencrypt going for my email setup, the smtp
handled by postfix, but mail, and imap I believe are handled by
dovecot.


SMTP is handled by postfix, imap/pop is handled by dovecot.


With the web it was easy just let apache serve the token that
letsencrypt needed and I got certificates. How do I do this with
regards email?


You can do the DNS challenge method if your server has the ability to
update DNS entries, or you can use certbot clients in standalone-mode
that will act as a simple web server just long enough to serve out the
token to complete the authentication.

Joseph Tam <jtam.h...@gmail.com>

Re: letsencrypt

[dovecot]

Hello,
Have you considered running getssl bash script?
It is well documented, self-updates automatically, supports https, 
imaps, pop3s, ... and can push validation tokens to your web server 
using rsync, ftp, ...

See https://github.com/srvrco/getssl/blob/master/README.md
Cheers

On 03/03/2017 08:22 PM, David Mehler wrote:

Hello,

Thanks. Is there another way of doing this? I've got a web server
running on 80 and 443. Are there any other options?

Thanks.
Dave.


On 3/3/17, Michael Neurohr <m...@michi.su> wrote:

On 2017-03-03 19:07, David Mehler wrote:

Hello,

I know some users here are using letsencrypt for their CA. If this is
to off topic write me privately.

I'm wanting letsencrypt to take over as my CA, replacing existing self
signed certificates. I've got web working, a certificate for https
sites and one for webmail as they have different names. What I'm now
wanting to do is get letsencrypt going for my email setup, the smtp
handled by postfix, but mail, and imap I believe are handled by
dovecot.

With the web it was easy just let apache serve the token that
letsencrypt needed and I got certificates. How do I do this with
regards email?

You can use certbot. It has a built in webserver. It allows you to
retrieve and renew the certificates automatically. I'm using it for
Dovecot and Postfix.

See https://certbot.eff.org/

I'm doing everything with the following command:

certbot/certbot-auto certonly --no-self-upgrade --standalone -n
--rsa-key-size 4096 -d domain1.example.com -d domain2.example.com
--pre-hook scripts/letsencrypt-pre-hook.sh --post-hook
scripts/letsencrypt-post-hook.sh

With the pre-hook and post-hook scripts I make sure to open and close
the firewall on port 443, and to reload Postfix and Dovecot in case a
certificate was update.

You can find all information about the flags that I'm using at
https://certbot.eff.org/docs/using.html

Michael

Re: letsencrypt

[mj]

Yes:

I'm using the acme.sh client, and I can do:

> acme.sh --issue --standalone -d example.com --httpport 88

It does what you'd expect: it runs using a small webserver on port 88

I only just discovered that option myself :-)

MJ

On 03/03/2017 08:22 PM, David Mehler wrote:

Hello,

Thanks. Is there another way of doing this? I've got a web server
running on 80 and 443. Are there any other options?

Thanks.
Dave.

Re: letsencrypt

[David Mehler]

Hello,

Thanks. Is there another way of doing this? I've got a web server
running on 80 and 443. Are there any other options?

Thanks.
Dave.


On 3/3/17, Michael Neurohr <m...@michi.su> wrote:
> On 2017-03-03 19:07, David Mehler wrote:
>> Hello,
>>
>> I know some users here are using letsencrypt for their CA. If this is
>> to off topic write me privately.
>>
>> I'm wanting letsencrypt to take over as my CA, replacing existing self
>> signed certificates. I've got web working, a certificate for https
>> sites and one for webmail as they have different names. What I'm now
>> wanting to do is get letsencrypt going for my email setup, the smtp
>> handled by postfix, but mail, and imap I believe are handled by
>> dovecot.
>>
>> With the web it was easy just let apache serve the token that
>> letsencrypt needed and I got certificates. How do I do this with
>> regards email?
>
> You can use certbot. It has a built in webserver. It allows you to
> retrieve and renew the certificates automatically. I'm using it for
> Dovecot and Postfix.
>
> See https://certbot.eff.org/
>
> I'm doing everything with the following command:
>
> certbot/certbot-auto certonly --no-self-upgrade --standalone -n
> --rsa-key-size 4096 -d domain1.example.com -d domain2.example.com
> --pre-hook scripts/letsencrypt-pre-hook.sh --post-hook
> scripts/letsencrypt-post-hook.sh
>
> With the pre-hook and post-hook scripts I make sure to open and close
> the firewall on port 443, and to reload Postfix and Dovecot in case a
> certificate was update.
>
> You can find all information about the flags that I'm using at
> https://certbot.eff.org/docs/using.html
>
> Michael
>

Re: letsencrypt

[Michael Neurohr]

On 2017-03-03 19:07, David Mehler wrote:
> Hello,
> 
> I know some users here are using letsencrypt for their CA. If this is
> to off topic write me privately.
> 
> I'm wanting letsencrypt to take over as my CA, replacing existing self
> signed certificates. I've got web working, a certificate for https
> sites and one for webmail as they have different names. What I'm now
> wanting to do is get letsencrypt going for my email setup, the smtp
> handled by postfix, but mail, and imap I believe are handled by
> dovecot.
> 
> With the web it was easy just let apache serve the token that
> letsencrypt needed and I got certificates. How do I do this with
> regards email?

You can use certbot. It has a built in webserver. It allows you to
retrieve and renew the certificates automatically. I'm using it for
Dovecot and Postfix.

See https://certbot.eff.org/

I'm doing everything with the following command:

certbot/certbot-auto certonly --no-self-upgrade --standalone -n
--rsa-key-size 4096 -d domain1.example.com -d domain2.example.com
--pre-hook scripts/letsencrypt-pre-hook.sh --post-hook
scripts/letsencrypt-post-hook.sh

With the pre-hook and post-hook scripts I make sure to open and close
the firewall on port 443, and to reload Postfix and Dovecot in case a
certificate was update.

You can find all information about the flags that I'm using at
https://certbot.eff.org/docs/using.html

Michael

Re: letsencrypt

[KSB]

You can also setup web server to handle auth for particular domain or 
use certbot's standalone auth, but in that case, 80 or 443 port must be 
free to allow certbot's temporary web server to run on that port.


--
KSB


On 2017.03.03. 20:08, Larry Rosenman wrote:

I have DNS setup as my auth, and use nsupdate to let it get the token.



On 3/3/17, 12:07 PM, "dovecot on behalf of David Mehler" 
<dovecot-boun...@dovecot.org on behalf of dave.meh...@gmail.com> wrote:

Hello,

I know some users here are using letsencrypt for their CA. If this is
to off topic write me privately.

I'm wanting letsencrypt to take over as my CA, replacing existing self
signed certificates. I've got web working, a certificate for https
sites and one for webmail as they have different names. What I'm now
wanting to do is get letsencrypt going for my email setup, the smtp
handled by postfix, but mail, and imap I believe are handled by
dovecot.

With the web it was easy just let apache serve the token that
letsencrypt needed and I got certificates. How do I do this with
regards email?

I hope that's clear.

Any help appreciated.

Thanks.
Dave.

Re: letsencrypt

[David Mehler]

Hello,

Thanks, should have mentioned dns tokens are not possible in my situation.

Thanks.
Dave.


On 3/3/17, Larry Rosenman <larry...@gmail.com> wrote:
> I have DNS setup as my auth, and use nsupdate to let it get the token.
>
>
>
> On 3/3/17, 12:07 PM, "dovecot on behalf of David Mehler"
> <dovecot-boun...@dovecot.org on behalf of dave.meh...@gmail.com> wrote:
>
> Hello,
>
> I know some users here are using letsencrypt for their CA. If this is
>     to off topic write me privately.
>
> I'm wanting letsencrypt to take over as my CA, replacing existing self
> signed certificates. I've got web working, a certificate for https
> sites and one for webmail as they have different names. What I'm now
> wanting to do is get letsencrypt going for my email setup, the smtp
> handled by postfix, but mail, and imap I believe are handled by
> dovecot.
>
>     With the web it was easy just let apache serve the token that
> letsencrypt needed and I got certificates. How do I do this with
> regards email?
>
> I hope that's clear.
>
> Any help appreciated.
>
> Thanks.
> Dave.
>
>
>
>

Re: letsencrypt

[Larry Rosenman]

I have DNS setup as my auth, and use nsupdate to let it get the token. 



On 3/3/17, 12:07 PM, "dovecot on behalf of David Mehler" 
<dovecot-boun...@dovecot.org on behalf of dave.meh...@gmail.com> wrote:

Hello,

I know some users here are using letsencrypt for their CA. If this is
to off topic write me privately.

I'm wanting letsencrypt to take over as my CA, replacing existing self
signed certificates. I've got web working, a certificate for https
sites and one for webmail as they have different names. What I'm now
wanting to do is get letsencrypt going for my email setup, the smtp
handled by postfix, but mail, and imap I believe are handled by
dovecot.

With the web it was easy just let apache serve the token that
letsencrypt needed and I got certificates. How do I do this with
regards email?

I hope that's clear.

Any help appreciated.

Thanks.
Dave.

letsencrypt

[David Mehler]

Hello,

I know some users here are using letsencrypt for their CA. If this is
to off topic write me privately.

I'm wanting letsencrypt to take over as my CA, replacing existing self
signed certificates. I've got web working, a certificate for https
sites and one for webmail as they have different names. What I'm now
wanting to do is get letsencrypt going for my email setup, the smtp
handled by postfix, but mail, and imap I believe are handled by
dovecot.

With the web it was easy just let apache serve the token that
letsencrypt needed and I got certificates. How do I do this with
regards email?

I hope that's clear.

Any help appreciated.

Thanks.
Dave.

Re: a question about certificates from letsencrypt

[Andrew McGlashan]

Hi Andreas,

On 19/08/2016 10:11 PM, Andreas Meyer wrote:
> Hello!
> 
> Certificates from letsencrypt are renewed every three months.
> 
> Does that mean a MUA has to accept the renewed certificates manually
> everytime it is renewed?

No, if the certificate is not a self-signed one, and if the MUA can
follow the normal CA path, then there is no need to "accept" certs (same
as in the browser).

Cheers
AndrewM



signature.asc
Description: OpenPGP digital signature

Re: a question about certificates from letsencrypt

[Adrian Minta]

On 08/19/2016 04:30 PM, Sven Strickroth wrote:

Am 19.08.2016 um 14:40 schrieb Adrian Minta:

The cert doesn't work with old clients.

What do you understand under old?

Ok, Windows XP clients might be problematic regarding SNI and used
ciphers, but starting with Vista all clients which use the Windows
CryptoAPI and Trust Store are working.

Take Mozilla, there is it supported since Firefox 2.0 (I don't know
right now which is the corresponding Thunderbird version, but I expect
it to be supported since really early versions).

Java clients are problematic as you need the latest version.

Android works with >= 2.3.6 and iOS iOS >= 3.1.

See
https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394?u=mrtux
for a fuller list and feel free to report more working or not working
clients, I'll add them there.

MTAs usually don't validate the certificates, so there should be no problem.



I did encounter some problems last year with Outlook on older Windows XP 
machines.

The problem seems to be discussed here:
https://community.letsencrypt.org/t/help-needed-windows-xp-support/8756
https://community.letsencrypt.org/t/upcoming-intermediate-changes/13106



--
Best regards,
Adrian Minta

Re: a question about certificates from letsencrypt

[Sven Strickroth]

Hi,

On 08/19/2016 03:11 PM, Andreas Meyer wrote:
> Certificates from letsencrypt are renewed every three months.

I'm using a Let's Encrypt certificate w/o problems for > 6 months now
(three times renewed) for web, SMTP and IMAP. As I'm also using DANE I
wrote my own script for also updating the TLSA records. I don't
recommend to use the official CertBot client, but use a different one (I
use acmetiny; see
https://community.letsencrypt.org/t/list-of-client-implementations/2103?u=mrtux
for a list).

Am 19.08.2016 um 14:40 schrieb Adrian Minta:
> The cert doesn't work with old clients.

What do you understand under old?

Ok, Windows XP clients might be problematic regarding SNI and used
ciphers, but starting with Vista all clients which use the Windows
CryptoAPI and Trust Store are working.

Take Mozilla, there is it supported since Firefox 2.0 (I don't know
right now which is the corresponding Thunderbird version, but I expect
it to be supported since really early versions).

Java clients are problematic as you need the latest version.

Android works with >= 2.3.6 and iOS iOS >= 3.1.

See
https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394?u=mrtux
for a fuller list and feel free to report more working or not working
clients, I'll add them there.

MTAs usually don't validate the certificates, so there should be no problem.

-- 
Best regards,
 Sven Strickroth
 PGP key id F5A9D4C4 @ any key-server

Re: a question about certificates from letsencrypt

[Ralph Seichter]

On 19.08.2016 14:12, Aki Tuomi wrote:

> Depends how your MUA validates the certificate.
>
> If it just checks CA, then no. Also I don't think the private key
> changes, so it should not cause recheck either. Other checks, maybe.

Last time I checked, the LetsEncrypt client generated a fresh key pair
whenever the user requested a certificate to be renewed, unless the user
explicitly opted to use the existing keys (which required some extra
configuration). That should not matter much for Dovecot or other IMAP
servers, but it is very important for Mail Exchangers when using DANE.

-Ralph

Re: a question about certificates from letsencrypt

[Adrian Minta]

The cert doesn't work with old clients.


On 08/19/2016 03:11 PM, Andreas Meyer wrote:

Hello!

Certificates from letsencrypt are renewed every three months.

Does that mean a MUA has to accept the renewed certificates manually
everytime it is renewed?

Sorry if this is OT!

Greetings

  Andreas


--
Best regards,
Adrian Minta

Re: a question about certificates from letsencrypt

[Aki Tuomi]

On 19.08.2016 15:11, Andreas Meyer wrote:
> Hello!
>
> Certificates from letsencrypt are renewed every three months.
>
> Does that mean a MUA has to accept the renewed certificates manually
> everytime it is renewed?
>
> Sorry if this is OT!
>
> Greetings
>
>  Andreas

Depends how your MUA validates the certificate.

If it just checks CA, then no. Also I don't think the private key
changes, so it should not cause recheck either. Other checks, maybe.

Aki

a question about certificates from letsencrypt

[Andreas Meyer]

Hello!

Certificates from letsencrypt are renewed every three months.

Does that mean a MUA has to accept the renewed certificates manually
everytime it is renewed?

Sorry if this is OT!

Greetings

 Andreas