Hello, I know some users here are using letsencrypt for their CA. If this is to off topic write me privately. I'm wanting letsencrypt to take over as my CA, replacing existing self signed certificates. I've got web working, a certificate for https sites and one for webmail as they have different names. What I'm now wanting to do is get letsencrypt going for my email setup, the smtp handled by postfix, but mail, and imap I believe are handled by dovecot. With the web it was easy just let apache serve the token that letsencrypt needed and I got certificates. How do I do this with regards email? I hope that's clear. Any help appreciated. Thanks. Dave.
I have DNS setup as my auth, and use nsupdate to let it get the token.
On 3/3/17, 12:07 PM, "dovecot on behalf of David Mehler"
<dovecot-bounces at dovecot.org on behalf of dave.mehler at gmail.com>
wrote:
Hello,
I know some users here are using letsencrypt for their CA. If this is
to off topic write me privately.
I'm wanting letsencrypt to take over as my CA, replacing existing self
signed certificates. I've got web working, a certificate for https
sites and one for webmail as they have different names. What I'm now
wanting to do is get letsencrypt going for my email setup, the smtp
handled by postfix, but mail, and imap I believe are handled by
dovecot.
With the web it was easy just let apache serve the token that
letsencrypt needed and I got certificates. How do I do this with
regards email?
I hope that's clear.
Any help appreciated.
Thanks.
Dave.
Hello, Thanks, should have mentioned dns tokens are not possible in my situation. Thanks. Dave. On 3/3/17, Larry Rosenman <larryrtx at gmail.com> wrote:> I have DNS setup as my auth, and use nsupdate to let it get the token. > > > > On 3/3/17, 12:07 PM, "dovecot on behalf of David Mehler" > <dovecot-bounces at dovecot.org on behalf of dave.mehler at gmail.com> wrote: > > Hello, > > I know some users here are using letsencrypt for their CA. If this is > to off topic write me privately. > > I'm wanting letsencrypt to take over as my CA, replacing existing self > signed certificates. I've got web working, a certificate for https > sites and one for webmail as they have different names. What I'm now > wanting to do is get letsencrypt going for my email setup, the smtp > handled by postfix, but mail, and imap I believe are handled by > dovecot. > > With the web it was easy just let apache serve the token that > letsencrypt needed and I got certificates. How do I do this with > regards email? > > I hope that's clear. > > Any help appreciated. > > Thanks. > Dave. > > > >
You can also setup web server to handle auth for particular domain or use certbot's standalone auth, but in that case, 80 or 443 port must be free to allow certbot's temporary web server to run on that port. -- KSB On 2017.03.03. 20:08, Larry Rosenman wrote:> I have DNS setup as my auth, and use nsupdate to let it get the token. > > > > On 3/3/17, 12:07 PM, "dovecot on behalf of David Mehler" <dovecot-bounces at dovecot.org on behalf of dave.mehler at gmail.com> wrote: > > Hello, > > I know some users here are using letsencrypt for their CA. If this is > to off topic write me privately. > > I'm wanting letsencrypt to take over as my CA, replacing existing self > signed certificates. I've got web working, a certificate for https > sites and one for webmail as they have different names. What I'm now > wanting to do is get letsencrypt going for my email setup, the smtp > handled by postfix, but mail, and imap I believe are handled by > dovecot. > > With the web it was easy just let apache serve the token that > letsencrypt needed and I got certificates. How do I do this with > regards email? > > I hope that's clear. > > Any help appreciated. > > Thanks. > Dave. > >
On 2017-03-03 19:07, David Mehler wrote:> Hello, > > I know some users here are using letsencrypt for their CA. If this is > to off topic write me privately. > > I'm wanting letsencrypt to take over as my CA, replacing existing self > signed certificates. I've got web working, a certificate for https > sites and one for webmail as they have different names. What I'm now > wanting to do is get letsencrypt going for my email setup, the smtp > handled by postfix, but mail, and imap I believe are handled by > dovecot. > > With the web it was easy just let apache serve the token that > letsencrypt needed and I got certificates. How do I do this with > regards email?You can use certbot. It has a built in webserver. It allows you to retrieve and renew the certificates automatically. I'm using it for Dovecot and Postfix. See https://certbot.eff.org/ I'm doing everything with the following command: certbot/certbot-auto certonly --no-self-upgrade --standalone -n --rsa-key-size 4096 -d domain1.example.com -d domain2.example.com --pre-hook scripts/letsencrypt-pre-hook.sh --post-hook scripts/letsencrypt-post-hook.sh With the pre-hook and post-hook scripts I make sure to open and close the firewall on port 443, and to reload Postfix and Dovecot in case a certificate was update. You can find all information about the flags that I'm using at https://certbot.eff.org/docs/using.html Michael
Hello, Thanks. Is there another way of doing this? I've got a web server running on 80 and 443. Are there any other options? Thanks. Dave. On 3/3/17, Michael Neurohr <mine at michi.su> wrote:> On 2017-03-03 19:07, David Mehler wrote: >> Hello, >> >> I know some users here are using letsencrypt for their CA. If this is >> to off topic write me privately. >> >> I'm wanting letsencrypt to take over as my CA, replacing existing self >> signed certificates. I've got web working, a certificate for https >> sites and one for webmail as they have different names. What I'm now >> wanting to do is get letsencrypt going for my email setup, the smtp >> handled by postfix, but mail, and imap I believe are handled by >> dovecot. >> >> With the web it was easy just let apache serve the token that >> letsencrypt needed and I got certificates. How do I do this with >> regards email? > > You can use certbot. It has a built in webserver. It allows you to > retrieve and renew the certificates automatically. I'm using it for > Dovecot and Postfix. > > See https://certbot.eff.org/ > > I'm doing everything with the following command: > > certbot/certbot-auto certonly --no-self-upgrade --standalone -n > --rsa-key-size 4096 -d domain1.example.com -d domain2.example.com > --pre-hook scripts/letsencrypt-pre-hook.sh --post-hook > scripts/letsencrypt-post-hook.sh > > With the pre-hook and post-hook scripts I make sure to open and close > the firewall on port 443, and to reload Postfix and Dovecot in case a > certificate was update. > > You can find all information about the flags that I'm using at > https://certbot.eff.org/docs/using.html > > Michael >
On 04/03/17 04:07, David Mehler wrote:> With the web it was easy just let apache serve the token that > letsencrypt needed and I got certificates. How do I do this with > regards email?I know there have been some answers to this already but FWIW I use dehydrated directly from Github and this script sets it up as well as creates a pem version for mail hosts... https://raw.githubusercontent.com/markc/sh/master/bin/newssl Just change WPATH, VCONF and the nginx server snippet then reload apache instead of nginx. Then put a slightly modified version of this on a monthly cronjob... https://raw.githubusercontent.com/markc/sh/master/bin/allssl