dovecot - Aug 2017 - is a self signed certificate always invalid the first time

> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski <skraw at
ithnet.com> wrote:
> 
> On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
> Joseph Tam <jtam.home at gmail.com> wrote:
> 
>> Michael Felt <michael at felt.demon.nl> writes:
>> 
>>>> I use acme.sh for all of my LetsEncrypt certs (web & mail),
it is
>>>> written in pure shell script, so no python dependencies.
>>>> https://github.com/Neilpang/acme.sh  
>>> 
>>> Thanks - I might look at that, but as Ralph mentions in his reply -
>>> Let's encrypt certs are only for three months - never ending
circus.
>> 
>> I wouldn't characterize it as a circus.  Once you bootstrap your
first
>> certificate and install the cert-renew cron script, it's not
something
>> you have to pay a lot of attention to.  I have a few LE certs in use,
>> and I don't think about it anymore: it just works.
>> 
>> The shorter cert lifetime also helps limit damage if your certificate
>> gets compromised.
>> 
>> Joseph Tam <jtam.home at gmail.com>
> 
> Obviously you do not use clustered environments with more than one node per
> service.
> Else you would not call it "it just works", because in fact the
renewal is
> quite big bs as one node must do the job while all the others must be
> _offline_.
> 
> -- 
> Regards,
> Stephan
I use DNS verification for LE certs. Much better since generating certs only
depends on access to DNS and not your HTTP servers. Cert generation is automatic
(on a cron job that runs every night looking for certs that are within 30 days
of expiration). Once set up, it is pretty much automatic. I do use Docker to
deploy all services for my website which also makes things pretty easy to
manage.

Kevin

On 08/19/2017 09:39 PM, KT Walrus wrote:
> I use DNS verification for LE certs.

what is that?


-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com

Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013

Am Samstag, den 19.08.2017, 21:39 -0400 schrieb KT
Walrus:
> 
> I use DNS verification for LE certs. Much better since generating
> certs only depends on access to DNS and not your HTTP servers. Cert
> generation is automatic (on a cron job that runs every night looking
> for certs that are within 30 days of expiration). Once set up, it is
> pretty much automatic. I do use Docker to deploy all services for my
> website which also makes things pretty easy to manage.
> 
> Kevin
Hi Kevin,

what software do you use for DNS based verification? I read with the
official certbot from LE it's not possible to do this fully automated.
Currently I use the http based method, but would like to switch to DNS
based.

Greetings
Felix

Hi Felix,

I use getssl, which is a bash script, for LE certs.  For certs on one server I
use http, for the other DNS.

The DNS method depends on your DNS provider.  Many providers have an API for
updating DNS. getssl provides scripts for a small number of popular providers.
Acme.sh provides a greater range of DNS provider APIs.

I added my own linode dns scripts in preference to those provided by getssl. 
Linode?s 15 minute DNS update delay has to be accounted for.

--
Peter West
pbw at pbw.id.au
?My soul magnifies the Lord??
> On 20 Aug 2017, at 5:20 pm, Felix Zielcke <fzielcke at z-51.de>
wrote:
> 
> Am Samstag, den 19.08.2017, 21:39 -0400 schrieb KT Walrus:
>> 
>> I use DNS verification for LE certs. Much better since generating
>> certs only depends on access to DNS and not your HTTP servers. Cert
>> generation is automatic (on a cron job that runs every night looking
>> for certs that are within 30 days of expiration). Once set up, it is
>> pretty much automatic. I do use Docker to deploy all services for my
>> website which also makes things pretty easy to manage.
>> 
>> Kevin
> 
> Hi Kevin,
> 
> what software do you use for DNS based verification? I read with the
> official certbot from LE it's not possible to do this fully automated.
> Currently I use the http based method, but would like to switch to DNS
> based.
> 
> Greetings
> Felix


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20170820/641c72e2/attachment.sig>

> On Aug 20, 2017, at 3:20 AM, Felix Zielcke <fzielcke at z-51.de>
wrote:
> 
> Am Samstag, den 19.08.2017, 21:39 -0400 schrieb KT Walrus:
>> 
>> I use DNS verification for LE certs. Much better since generating
>> certs only depends on access to DNS and not your HTTP servers. Cert
>> generation is automatic (on a cron job that runs every night looking
>> for certs that are within 30 days of expiration). Once set up, it is
>> pretty much automatic. I do use Docker to deploy all services for my
>> website which also makes things pretty easy to manage.
>> 
>> Kevin
> 
> Hi Kevin,
> 
> what software do you use for DNS based verification? I read with the
> official certbot from LE it's not possible to do this fully automated.
> Currently I use the http based method, but would like to switch to DNS
> based.
> 
> Greetings
> Felix
I use the acme.sh script: https://github.com/Neilpang/acme.sh
<https://github.com/Neilpang/acme.sh>

The author supports running this script automatically with the docker image
neilpang/acme.sh.

Kevin

On Sat, 19 Aug 2017 21:39:18 -0400
KT Walrus <kevin at my.walr.us> wrote:
> > On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski <skraw at
ithnet.com>
> > wrote:
> > 
> > On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
> > Joseph Tam <jtam.home at gmail.com> wrote:
> >   
> >> Michael Felt <michael at felt.demon.nl> writes:
> >>   
> >>>> I use acme.sh for all of my LetsEncrypt certs (web &
mail), it is
> >>>> written in pure shell script, so no python dependencies.
> >>>> https://github.com/Neilpang/acme.sh    
> >>> 
> >>> Thanks - I might look at that, but as Ralph mentions in his
reply -
> >>> Let's encrypt certs are only for three months - never
ending circus.
> >> 
> >> I wouldn't characterize it as a circus.  Once you bootstrap
your first
> >> certificate and install the cert-renew cron script, it's not
something
> >> you have to pay a lot of attention to.  I have a few LE certs in
use,
> >> and I don't think about it anymore: it just works.
> >> 
> >> The shorter cert lifetime also helps limit damage if your
certificate
> >> gets compromised.
> >> 
> >> Joseph Tam <jtam.home at gmail.com>  
> > 
> > Obviously you do not use clustered environments with more than one
node per
> > service.
> > Else you would not call it "it just works", because in fact
the renewal is
> > quite big bs as one node must do the job while all the others must be
> > _offline_.
> > 
> > -- 
> > Regards,
> > Stephan  
> 
> I use DNS verification for LE certs. Much better since generating certs
only
> depends on access to DNS and not your HTTP servers. Cert generation is
> automatic (on a cron job that runs every night looking for certs that are
> within 30 days of expiration). Once set up, it is pretty much automatic. I
> do use Docker to deploy all services for my website which also makes things
> pretty easy to manage.
> 
> Kevin
> 
DNS verification sounds nice only on first glimpse.
If you have a lot of domains and ought to reload your DNS for every
verification of every single domain that does not look like a method with a
small footprint or particularly elegant.

-- 
Regards,
Stephan

> On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski <skraw at
ithnet.com> wrote:
> 
> On Sat, 19 Aug 2017 21:39:18 -0400
> KT Walrus <kevin at my.walr.us> wrote:
> 
>>> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski <skraw at
ithnet.com>
>>> wrote:
>>> 
>>> On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
>>> Joseph Tam <jtam.home at gmail.com> wrote:
>>> 
>>>> Michael Felt <michael at felt.demon.nl> writes:
>>>> 
>>>>>> I use acme.sh for all of my LetsEncrypt certs (web
& mail), it is
>>>>>> written in pure shell script, so no python
dependencies.
>>>>>> https://github.com/Neilpang/acme.sh    
>>>>> 
>>>>> Thanks - I might look at that, but as Ralph mentions in his
reply -
>>>>> Let's encrypt certs are only for three months - never
ending circus.
>>>> 
>>>> I wouldn't characterize it as a circus.  Once you bootstrap
your first
>>>> certificate and install the cert-renew cron script, it's
not something
>>>> you have to pay a lot of attention to.  I have a few LE certs
in use,
>>>> and I don't think about it anymore: it just works.
>>>> 
>>>> The shorter cert lifetime also helps limit damage if your
certificate
>>>> gets compromised.
>>>> 
>>>> Joseph Tam <jtam.home at gmail.com>  
>>> 
>>> Obviously you do not use clustered environments with more than one
node per
>>> service.
>>> Else you would not call it "it just works", because in
fact the renewal is
>>> quite big bs as one node must do the job while all the others must
be
>>> _offline_.
>>> 
>>> -- 
>>> Regards,
>>> Stephan  
>> 
>> I use DNS verification for LE certs. Much better since generating certs
only
>> depends on access to DNS and not your HTTP servers. Cert generation is
>> automatic (on a cron job that runs every night looking for certs that
are
>> within 30 days of expiration). Once set up, it is pretty much
automatic. I
>> do use Docker to deploy all services for my website which also makes
things
>> pretty easy to manage.
>> 
>> Kevin
>> 
> 
> DNS verification sounds nice only on first glimpse.
> If you have a lot of domains and ought to reload your DNS for every
> verification of every single domain that does not look like a method with a
> small footprint or particularly elegant.
I don?t understand what you are trying to say. I have over 170 domains that I
generate certs for automatically using the acme.sh script. It is all automatic
and requires no ?reload your DNS? by me. The script just updates the DNS with a
record that Let?s Encrypt checks before issuing the certificate. After Let?s
Encrypt verifies that you can update the DNS for your domain with the record,
the script removes the record.

This actually works much better than HTTP especially for domains like for email
servers that don?t have an HTTP server deployed for them.

Kevin