similar to: is a self signed certificate always invalid the first time

On Sat, 19 Aug 2017 21:39:18 -0400 KT Walrus <kevin at my.walr.us> wrote: > > On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski <skraw at ithnet.com> > > wrote: > > > > On Fri, 18 Aug 2017 00:24:39 -0700 (PDT) > > Joseph Tam <jtam.home at gmail.com> wrote: > > > >> Michael Felt <michael at felt.demon.nl> writes: >

On Sun, 20 Aug 2017 12:29:49 -0400 KT Walrus <kevin at my.walr.us> wrote: > > On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski <skraw at ithnet.com> > > wrote: > > > > On Sat, 19 Aug 2017 21:39:18 -0400 > > KT Walrus <kevin at my.walr.us> wrote: > > > >>> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski <skraw at

On Fri, 18 Aug 2017 00:24:39 -0700 (PDT) Joseph Tam <jtam.home at gmail.com> wrote: > Michael Felt <michael at felt.demon.nl> writes: > > >> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is > >> written in pure shell script, so no python dependencies. > >> https://github.com/Neilpang/acme.sh > > > > Thanks - I might

> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski <skraw at ithnet.com> wrote: > > On Fri, 18 Aug 2017 00:24:39 -0700 (PDT) > Joseph Tam <jtam.home at gmail.com> wrote: > >> Michael Felt <michael at felt.demon.nl> writes: >> >>>> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is >>>> written in pure

> On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski <skraw at ithnet.com> wrote: > > On Sat, 19 Aug 2017 21:39:18 -0400 > KT Walrus <kevin at my.walr.us> wrote: > >>> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski <skraw at ithnet.com> >>> wrote: >>> >>> On Fri, 18 Aug 2017 00:24:39 -0700 (PDT) >>> Joseph

> On Aug 20, 2017, at 1:32 PM, Stephan von Krawczynski <skraw at ithnet.com> wrote: > > On Sun, 20 Aug 2017 12:29:49 -0400 > KT Walrus <kevin at my.walr.us> wrote: > >>> On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski <skraw at ithnet.com> >>> wrote: >>> >>> On Sat, 19 Aug 2017 21:39:18 -0400 >>> KT Walrus

Michael Felt <michael at felt.demon.nl> writes: >> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is >> written in pure shell script, so no python dependencies. >> https://github.com/Neilpang/acme.sh > > Thanks - I might look at that, but as Ralph mentions in his reply - > Let's encrypt certs are only for three months - never ending circus.

On 8/11/2017 11:44 AM, Florian Beer wrote: > On 2017-08-11 11:36, Michael Felt wrote: >> I have looked at let's encrypt. Key issue for me is having to add a >> lot python stuff that would otherwise not be on any server. > > > I use acme.sh for all of my LetsEncrypt certs (web & mail), it is > written in pure shell script, so no python dependencies. >

Am Samstag, den 19.08.2017, 21:39 -0400 schrieb KT Walrus: > > I use DNS verification for LE certs. Much better since generating > certs only depends on access to DNS and not your HTTP servers. Cert > generation is automatic (on a cron job that runs every night looking > for certs that are within 30 days of expiration). Once set up, it is > pretty much automatic. I do use Docker

AV> So i?m using dovecot, and i created a self signed certificate AV> with mkcert.sh based on dovecot-openssl.cnf. The name in there matches my mail server. AV> The first time it connects in mac mail however, it says the AV> certificate is invalid and another server might pretend to be me etc. AV> I then have the option of trusting it. AV> Is this normal behaviour? Will it

On 09.08.2017 17:20, Alef Veld wrote: > So i?m using dovecot, and i created a self signed certificate with > mkcert.sh based on dovecot-openssl.cnf. The name in there matches my > mail server. > > The first time it connects in mac mail however, it says the certificate > is invalid and another server might pretend to be me etc. This is to be expected for self-signed

On 09.08.2017 17:49, Alef Veld wrote: > I think let?s encrypt uses certbot though and it can?t do email > certificates (although i?m sure i can convert the cert i get from > let?s encrypt, i?ll look into it. I'm not sure what you mean by "can?t do email certificates"? In any case, Let's Encrypt issues certificates that can be used by Dovecot for IMAP and simultaneously

On 09.08.2017 18:18, Alef Veld wrote: > Anyone know of any manual, or can I just replace the certs in the > dovecot and postfix locations with theirs? Do dovecot, postfix and > apache all support .pem format? Google "dovecot letsencrypt" is your friend. ;-) If you have questions about details, we can discuss them of course. Also, please limit your replies to my messages to the

Yes, yes, and yes. This is what I do for https://webmail.lerctr.org, imap.lerctr.org, smtp.lerctr.org, et al. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: larryrtx at gmail.com US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106 On 8/9/17, 11:19 AM, "dovecot on behalf of Alef Veld" <dovecot-bounces at

On 10.08.2017 09:18, Stephan von Krawczynski wrote: > It would be far better to use a self-signed certificate that can be > checked through some instance/host set inside your domain. I have been running a CA for 15+ years, generating certificates only for servers I personally maintain. Since my business is too small to be able to afford all the steps required to have my CA trusted by

On 2017-08-11 11:36, Michael Felt wrote: > I have looked at let's encrypt. Key issue for me is having to add a > lot python stuff that would otherwise not be on any server. I use acme.sh for all of my LetsEncrypt certs (web & mail), it is written in pure shell script, so no python dependencies. https://github.com/Neilpang/acme.sh

On 11.08.2017 11:36, Michael Felt wrote: > This is what Ralph means when he says "have been running a CA for > 15+ years" - not that he is (though he could!) sell certificates > commercially - rather, he is using an initial certificate to sign > later certificates with. Actually, I do sell certificates to my customers. :-) In small numbers, and only for servers to which I

On Fri, August 18, 2017 5:02 pm, Michael Felt wrote: > On 8/11/2017 1:29 PM, Ralph Seichter wrote: >>> And, Ralph, I salute you. I have never been able to be disciplined >>> enough to be my own CA. >> I encourage you to look into the subject again. >> > I actually have been, which is why I could give a near sensible reply. > Thanks for the encouragement!

On 20.08.2017 19:50, KT Walrus wrote: > I use Cloudflare (free DNS) and DNS Made Easy (paid DNS). I would never > run my own DNS service except for communicating between my Docker > services internally I run my own nameservers for various reasons, not the least of them being DNSSEC. My zones' signing keys never leave my hands. > If you run your own public DNS service (for your

On 08/10/2017 04:41 PM, Frank-Ulrich Sommer wrote: > I can't see any security advantages of a self signed cert. I then you fail to understand the history, like when Microsoft's certs were undermined because the third party authentication agency gave the keys to 2 guys that knocked on the door and asked for them... -- So many immigrant groups have swept through our town that