I am getting myself confused, and need someone who fully understands this process to help me out a bot. I would like to obtain an ssl certificate, so I can run my own imap server on a machine in my office. My domain is hosted by networksolutions, but I don't run my imap server there. I am assuming I'll need to pay a CA to generate what I need, but I'm confused about what I need. I am running dovecot at teh moment, but my clients (iphone, windows laptops) say my ssl connection is not trusted. The phone just won't connect. I tried emailing the dovecot.pem file to my phone and installing it, but it just says it is not trusted. This leads me to obtaining a real CA issued certificate. I'm not sure what to do with it, once I get one, and then if I need to subsequently regenerate my dovecot.pem file?? Thanks, -chuck --
31 aug 2018 kl. 19:47 skrev Chuck Campbell <campbell at accelinc.com>:> I am getting myself confused, and need someone who fully understands this process to help me out a bot. > > I would like to obtain an ssl certificate, so I can run my own imap server on a machine in my office. > > My domain is hosted by networksolutions, but I don't run my imap server there. > > I am assuming I'll need to pay a CA to generate what I need, but I'm confused about what I need. I am running dovecot at teh moment, but my clients (iphone, windows laptops) say my ssl connection is not trusted. The phone just won't connect. > > I tried emailing the dovecot.pem file to my phone and installing it, but it just says it is not trusted. > > This leads me to obtaining a real CA issued certificate. I'm not sure what to do with it, once I get one, and then if I need to subsequently regenerate my dovecot.pem file??Nope, you don't have to pay for a certificate at one of the traditional CAs, you can use Let's Encrypt to have free but fully valid certificates for your server. See https://letsencrypt.org/ for more information. I can recommend https://github.com/xenolf/lego for use on your server, but there are many different LE clients out there. If your phone does not already trust Let's Encrypt's CAs, you should be able to install their certificates to get it working. I suggest you start by getting a cert onto your server and take it from there though. Regards, Leo
Leo,>> I would like to obtain an ssl certificate, so I can run my own imap server on a machine in my office. >> I am assuming I'll need to pay a CA to generate what I need, but >> I'm confused about what I need. I am running dovecot at teh moment, >> but my clients (iphone, windows laptops) say my ssl connection is >> not trusted. The phone just won't connect.> Nope, you don't have to pay for a certificate at one of the > traditional CAs, you can use Let's Encrypt to have free but fully > valid certificates for your server.> See https://letsencrypt.org/ for more information. I can recommend > https://github.com/xenolf/lego for use on your server, but there are > many different LE clients out there.certbot works only with ports 80 or 443? Can lego work with with IMAP ports like 143 or 993? The documentation is not very clear. best regards --- Michael Schumacher
On 08/31/2018 01:47 PM, Chuck Campbell wrote:> I am getting myself confused, and need someone who fully understands > this process to help me out a bot. > > I would like to obtain an ssl certificate, so I can run my own imap > server on a machine in my office. > > My domain is hosted by networksolutions, but I don't run my imap > server there. > > > I am assuming I'll need to pay a CA to generate what I need, but I'm > confused about what I need. I am running dovecot at teh moment, but my > clients (iphone, windows laptops) say my ssl connection is not > trusted. The phone just won't connect. > > I tried emailing the dovecot.pem file to my phone and installing it, > but it just says it is not trusted. > > This leads me to obtaining a real CA issued certificate. I'm not sure > what to do with it, once I get one, and then if I need to subsequently > regenerate my dovecot.pem file??Many large companies run their own CA and install their own root certificate.? Often installing a root cert is easier than installing a self-signed independent cert.? There is much written about building your own CA and a number of tools for that like openCA.? I can't speak for all your devices or apps, but there should be ways.... In personal promotion, I have been doing my own CA work for ECDSA certs and now for EDDSA certs (and I wonder what commercial CAs are providing them).? See my Internet draft: draft-moskowitz-ecdsa-pki And my github for pending updates to this and the new eddsa-pki draft (to be published after openSSL 1.1.1 is released). https://github.com/rgmhtt/draft-moskowitz-ecdsa-pki https://github.com/rgmhtt/draft-moskowitz-eddsa-pki Or go to openCA or look at other CA toolkits available on Centos and Fedora. Letsencrypt is a very important development, but it has (IMHO) a shaking foundation.? I would not build a production system around it.? But then I have lived in aspects of PKI since '95...
On Fri, Aug 31, 2018 at 05:30:53PM -0400, Robert Moskowitz wrote:> > Letsencrypt is a very important development, but it has (IMHO) a shaking > foundation.? I would not build a production system around it.? But then I > have lived in aspects of PKI since '95...I presume you meant "shaky foundation"? If so, would you care to elaborate? John -- Many people, especially ignorant people, want to punish you for speaking the truth, for being correct, for being you. Never apologize for being correct, or for being years ahead of your time. If you're right and you know it, speak your mind even if you are a minority of one. The truth is still the truth. -- Mohandas Gandhi -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20180831/b1ff1476/attachment-0001.sig>
I use something like this script to renew my SMTP and IMAP certificates
(/etc/cron.weekly/certbot-renew):
#!/bin/sh
hostcert=/etc/letsencrypt/live/mail.example.com
certlink="$(readlink "${hostcert}/cert.pem")"
test -x /usr/bin/certbot || exit 72
certbot certonly --quiet --standalone --keep-until-expiring \
??? -d mail.example.com \
??? -d imap.example.com \
??? --email postmaster at example.com \
??? --agree-tos --expand
# Exit if the cert hasn't been updated
test "${certlink}" = "$(readlink
"${hostcert}/cert.pem")" && exit
cat ${hostcert}/fullchain.pem ${hostcert}/privkey.pem >
/usr/lib/courier/share/esmtpd.pem
cat ${hostcert}/fullchain.pem ${hostcert}/privkey.pem >
/usr/lib/courier/share/imapd.pem
systemctl restart courier