Hello! Certificates from letsencrypt are renewed every three months. Does that mean a MUA has to accept the renewed certificates manually everytime it is renewed? Sorry if this is OT! Greetings Andreas
On 19.08.2016 15:11, Andreas Meyer wrote:> Hello! > > Certificates from letsencrypt are renewed every three months. > > Does that mean a MUA has to accept the renewed certificates manually > everytime it is renewed? > > Sorry if this is OT! > > Greetings > > AndreasDepends how your MUA validates the certificate. If it just checks CA, then no. Also I don't think the private key changes, so it should not cause recheck either. Other checks, maybe. Aki
The cert doesn't work with old clients. On 08/19/2016 03:11 PM, Andreas Meyer wrote:> Hello! > > Certificates from letsencrypt are renewed every three months. > > Does that mean a MUA has to accept the renewed certificates manually > everytime it is renewed? > > Sorry if this is OT! > > Greetings > > Andreas-- Best regards, Adrian Minta
On 19.08.2016 14:12, Aki Tuomi wrote:> Depends how your MUA validates the certificate. > > If it just checks CA, then no. Also I don't think the private key > changes, so it should not cause recheck either. Other checks, maybe.Last time I checked, the LetsEncrypt client generated a fresh key pair whenever the user requested a certificate to be renewed, unless the user explicitly opted to use the existing keys (which required some extra configuration). That should not matter much for Dovecot or other IMAP servers, but it is very important for Mail Exchangers when using DANE. -Ralph
Hi, On 08/19/2016 03:11 PM, Andreas Meyer wrote:> Certificates from letsencrypt are renewed every three months.I'm using a Let's Encrypt certificate w/o problems for > 6 months now (three times renewed) for web, SMTP and IMAP. As I'm also using DANE I wrote my own script for also updating the TLSA records. I don't recommend to use the official CertBot client, but use a different one (I use acmetiny; see https://community.letsencrypt.org/t/list-of-client-implementations/2103?u=mrtux for a list). Am 19.08.2016 um 14:40 schrieb Adrian Minta:> The cert doesn't work with old clients.What do you understand under old? Ok, Windows XP clients might be problematic regarding SNI and used ciphers, but starting with Vista all clients which use the Windows CryptoAPI and Trust Store are working. Take Mozilla, there is it supported since Firefox 2.0 (I don't know right now which is the corresponding Thunderbird version, but I expect it to be supported since really early versions). Java clients are problematic as you need the latest version. Android works with >= 2.3.6 and iOS iOS >= 3.1. See https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394?u=mrtux for a fuller list and feel free to report more working or not working clients, I'll add them there. MTAs usually don't validate the certificates, so there should be no problem. -- Best regards, Sven Strickroth PGP key id F5A9D4C4 @ any key-server
Hi Andreas, On 19/08/2016 10:11 PM, Andreas Meyer wrote:> Hello! > > Certificates from letsencrypt are renewed every three months. > > Does that mean a MUA has to accept the renewed certificates manually > everytime it is renewed?No, if the certificate is not a self-signed one, and if the MUA can follow the normal CA path, then there is no need to "accept" certs (same as in the browser). Cheers AndrewM -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20160823/5f24f730/attachment.sig>