dovecot - Aug 2017 - is a self signed certificate always invalid the first time

> On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski <skraw at
ithnet.com> wrote:
> 
> On Sat, 19 Aug 2017 21:39:18 -0400
> KT Walrus <kevin at my.walr.us> wrote:
> 
>>> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski <skraw at
ithnet.com>
>>> wrote:
>>> 
>>> On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
>>> Joseph Tam <jtam.home at gmail.com> wrote:
>>> 
>>>> Michael Felt <michael at felt.demon.nl> writes:
>>>> 
>>>>>> I use acme.sh for all of my LetsEncrypt certs (web
& mail), it is
>>>>>> written in pure shell script, so no python
dependencies.
>>>>>> https://github.com/Neilpang/acme.sh    
>>>>> 
>>>>> Thanks - I might look at that, but as Ralph mentions in his
reply -
>>>>> Let's encrypt certs are only for three months - never
ending circus.
>>>> 
>>>> I wouldn't characterize it as a circus.  Once you bootstrap
your first
>>>> certificate and install the cert-renew cron script, it's
not something
>>>> you have to pay a lot of attention to.  I have a few LE certs
in use,
>>>> and I don't think about it anymore: it just works.
>>>> 
>>>> The shorter cert lifetime also helps limit damage if your
certificate
>>>> gets compromised.
>>>> 
>>>> Joseph Tam <jtam.home at gmail.com>  
>>> 
>>> Obviously you do not use clustered environments with more than one
node per
>>> service.
>>> Else you would not call it "it just works", because in
fact the renewal is
>>> quite big bs as one node must do the job while all the others must
be
>>> _offline_.
>>> 
>>> -- 
>>> Regards,
>>> Stephan  
>> 
>> I use DNS verification for LE certs. Much better since generating certs
only
>> depends on access to DNS and not your HTTP servers. Cert generation is
>> automatic (on a cron job that runs every night looking for certs that
are
>> within 30 days of expiration). Once set up, it is pretty much
automatic. I
>> do use Docker to deploy all services for my website which also makes
things
>> pretty easy to manage.
>> 
>> Kevin
>> 
> 
> DNS verification sounds nice only on first glimpse.
> If you have a lot of domains and ought to reload your DNS for every
> verification of every single domain that does not look like a method with a
> small footprint or particularly elegant.
I don?t understand what you are trying to say. I have over 170 domains that I
generate certs for automatically using the acme.sh script. It is all automatic
and requires no ?reload your DNS? by me. The script just updates the DNS with a
record that Let?s Encrypt checks before issuing the certificate. After Let?s
Encrypt verifies that you can update the DNS for your domain with the record,
the script removes the record.

This actually works much better than HTTP especially for domains like for email
servers that don?t have an HTTP server deployed for them.

Kevin

On Sun, 20 Aug 2017 12:29:49 -0400
KT Walrus <kevin at my.walr.us> wrote:
> > On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski <skraw at
ithnet.com>
> > wrote:
> > 
> > On Sat, 19 Aug 2017 21:39:18 -0400
> > KT Walrus <kevin at my.walr.us> wrote:
> >   
> >>> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski <skraw
at ithnet.com>
> >>> wrote:
> >>> 
> >>> On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
> >>> Joseph Tam <jtam.home at gmail.com> wrote:
> >>>   
> >>>> Michael Felt <michael at felt.demon.nl> writes:
> >>>>   
> >>>>>> I use acme.sh for all of my LetsEncrypt certs (web
& mail), it is
> >>>>>> written in pure shell script, so no python
dependencies.
> >>>>>> https://github.com/Neilpang/acme.sh      
> >>>>> 
> >>>>> Thanks - I might look at that, but as Ralph mentions
in his reply -
> >>>>> Let's encrypt certs are only for three months -
never ending
> >>>>> circus.      
> >>>> 
> >>>> I wouldn't characterize it as a circus.  Once you
bootstrap your first
> >>>> certificate and install the cert-renew cron script,
it's not something
> >>>> you have to pay a lot of attention to.  I have a few LE
certs in use,
> >>>> and I don't think about it anymore: it just works.
> >>>> 
> >>>> The shorter cert lifetime also helps limit damage if your
certificate
> >>>> gets compromised.
> >>>> 
> >>>> Joseph Tam <jtam.home at gmail.com>    
> >>> 
> >>> Obviously you do not use clustered environments with more than
one node
> >>> per service.
> >>> Else you would not call it "it just works", because
in fact the renewal
> >>> is quite big bs as one node must do the job while all the
others must be
> >>> _offline_.
> >>> 
> >>> -- 
> >>> Regards,
> >>> Stephan    
> >> 
> >> I use DNS verification for LE certs. Much better since generating
certs
> >> only depends on access to DNS and not your HTTP servers. Cert
generation
> >> is automatic (on a cron job that runs every night looking for
certs that
> >> are within 30 days of expiration). Once set up, it is pretty much
> >> automatic. I do use Docker to deploy all services for my website
which
> >> also makes things pretty easy to manage.
> >> 
> >> Kevin
> >>   
> > 
> > DNS verification sounds nice only on first glimpse.
> > If you have a lot of domains and ought to reload your DNS for every
> > verification of every single domain that does not look like a method
with a
> > small footprint or particularly elegant.  
> 
> I don?t understand what you are trying to say. I have over 170 domains that
> I generate certs for automatically using the acme.sh script. It is all
> automatic and requires no ?reload your DNS? by me. The script just updates
> the DNS with a record that Let?s Encrypt checks before issuing the
> certificate. After Let?s Encrypt verifies that you can update the DNS for
> your domain with the record, the script removes the record.
> 
> This actually works much better than HTTP especially for domains like for
> email servers that don?t have an HTTP server deployed for them.
> 
> Kevin
You can't update a record without reloading configs in bind. I guess you are
using some other DNS service...

-- 
Regards,
Stephan

On 8/20/17, 12:33 PM, "dovecot on behalf of Stephan von Krawczynski"
<dovecot-bounces at dovecot.org on behalf of skraw at ithnet.com> wrote:

    On Sun, 20 Aug 2017 12:29:49 -0400
    KT Walrus <kevin at my.walr.us> wrote:
    
    > > On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski <skraw at
ithnet.com>
    > > wrote:
    > > 
    > > On Sat, 19 Aug 2017 21:39:18 -0400
    > > KT Walrus <kevin at my.walr.us> wrote:
    > >   
    > >>> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski
<skraw at ithnet.com>
    > >>> wrote:
    > >>> 
    > >>> On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
    > >>> Joseph Tam <jtam.home at gmail.com> wrote:
    > >>>   
    > >>>> Michael Felt <michael at felt.demon.nl> writes:
    > >>>>   
    > >>>>>> I use acme.sh for all of my LetsEncrypt certs
(web & mail), it is
    > >>>>>> written in pure shell script, so no python
dependencies.
    > >>>>>> https://github.com/Neilpang/acme.sh      
    > >>>>> 
    > >>>>> Thanks - I might look at that, but as Ralph
mentions in his reply -
    > >>>>> Let's encrypt certs are only for three months
- never ending
    > >>>>> circus.      
    > >>>> 
    > >>>> I wouldn't characterize it as a circus.  Once you
bootstrap your first
    > >>>> certificate and install the cert-renew cron script,
it's not something
    > >>>> you have to pay a lot of attention to.  I have a few
LE certs in use,
    > >>>> and I don't think about it anymore: it just works.
    > >>>> 
    > >>>> The shorter cert lifetime also helps limit damage if
your certificate
    > >>>> gets compromised.
    > >>>> 
    > >>>> Joseph Tam <jtam.home at gmail.com>    
    > >>> 
    > >>> Obviously you do not use clustered environments with more
than one node
    > >>> per service.
    > >>> Else you would not call it "it just works",
because in fact the renewal
    > >>> is quite big bs as one node must do the job while all the
others must be
    > >>> _offline_.
    > >>> 
    > >>> -- 
    > >>> Regards,
    > >>> Stephan    
    > >> 
    > >> I use DNS verification for LE certs. Much better since
generating certs
    > >> only depends on access to DNS and not your HTTP servers. Cert
generation
    > >> is automatic (on a cron job that runs every night looking for
certs that
    > >> are within 30 days of expiration). Once set up, it is pretty
much
    > >> automatic. I do use Docker to deploy all services for my
website which
    > >> also makes things pretty easy to manage.
    > >> 
    > >> Kevin
    > >>   
    > > 
    > > DNS verification sounds nice only on first glimpse.
    > > If you have a lot of domains and ought to reload your DNS for
every
    > > verification of every single domain that does not look like a
method with a
    > > small footprint or particularly elegant.  
    > 
    > I don?t understand what you are trying to say. I have over 170 domains
that
    > I generate certs for automatically using the acme.sh script. It is all
    > automatic and requires no ?reload your DNS? by me. The script just
updates
    > the DNS with a record that Let?s Encrypt checks before issuing the
    > certificate. After Let?s Encrypt verifies that you can update the DNS
for
    > your domain with the record, the script removes the record.
    > 
    > This actually works much better than HTTP especially for domains like
for
    > email servers that don?t have an HTTP server deployed for them.
    > 
    > Kevin
    
    You can't update a record without reloading configs in bind. I guess you
are
    using some other DNS service...
    
    -- 
    Regards,
    Stephan
    
Dynamic DNS Updates do it on the fly.

This is how I have acme.sh setup to do it, and my DHCP, et al.

> On Aug 20, 2017, at 1:32 PM, Stephan von Krawczynski <skraw at
ithnet.com> wrote:
> 
> On Sun, 20 Aug 2017 12:29:49 -0400
> KT Walrus <kevin at my.walr.us> wrote:
> 
>>> On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski <skraw at
ithnet.com>
>>> wrote:
>>> 
>>> On Sat, 19 Aug 2017 21:39:18 -0400
>>> KT Walrus <kevin at my.walr.us> wrote:
>>> 
>>>>> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski
<skraw at ithnet.com>
>>>>> wrote:
>>>>> 
>>>>> On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
>>>>> Joseph Tam <jtam.home at gmail.com> wrote:
>>>>> 
>>>>>> Michael Felt <michael at felt.demon.nl> writes:
>>>>>> 
>>>>>>>> I use acme.sh for all of my LetsEncrypt certs
(web & mail), it is
>>>>>>>> written in pure shell script, so no python
dependencies.
>>>>>>>> https://github.com/Neilpang/acme.sh      
>>>>>>> 
>>>>>>> Thanks - I might look at that, but as Ralph
mentions in his reply -
>>>>>>> Let's encrypt certs are only for three months -
never ending
>>>>>>> circus.      
>>>>>> 
>>>>>> I wouldn't characterize it as a circus.  Once you
bootstrap your first
>>>>>> certificate and install the cert-renew cron script,
it's not something
>>>>>> you have to pay a lot of attention to.  I have a few LE
certs in use,
>>>>>> and I don't think about it anymore: it just works.
>>>>>> 
>>>>>> The shorter cert lifetime also helps limit damage if
your certificate
>>>>>> gets compromised.
>>>>>> 
>>>>>> Joseph Tam <jtam.home at gmail.com>    
>>>>> 
>>>>> Obviously you do not use clustered environments with more
than one node
>>>>> per service.
>>>>> Else you would not call it "it just works",
because in fact the renewal
>>>>> is quite big bs as one node must do the job while all the
others must be
>>>>> _offline_.
>>>>> 
>>>>> -- 
>>>>> Regards,
>>>>> Stephan    
>>>> 
>>>> I use DNS verification for LE certs. Much better since
generating certs
>>>> only depends on access to DNS and not your HTTP servers. Cert
generation
>>>> is automatic (on a cron job that runs every night looking for
certs that
>>>> are within 30 days of expiration). Once set up, it is pretty
much
>>>> automatic. I do use Docker to deploy all services for my
website which
>>>> also makes things pretty easy to manage.
>>>> 
>>>> Kevin
>>>> 
>>> 
>>> DNS verification sounds nice only on first glimpse.
>>> If you have a lot of domains and ought to reload your DNS for every
>>> verification of every single domain that does not look like a
method with a
>>> small footprint or particularly elegant.  
>> 
>> I don?t understand what you are trying to say. I have over 170 domains
that
>> I generate certs for automatically using the acme.sh script. It is all
>> automatic and requires no ?reload your DNS? by me. The script just
updates
>> the DNS with a record that Let?s Encrypt checks before issuing the
>> certificate. After Let?s Encrypt verifies that you can update the DNS
for
>> your domain with the record, the script removes the record.
>> 
>> This actually works much better than HTTP especially for domains like
for
>> email servers that don?t have an HTTP server deployed for them.
>> 
>> Kevin
> 
> You can't update a record without reloading configs in bind. I guess
you are
> using some other DNS service...
I use Cloudflare (free DNS) and DNS Made Easy (paid DNS). I would never run my
own DNS service except for communicating between my Docker services internally
(Docker has its own internal DNS for this and there are many pre-built docker
images to provide a public DNS service, if required). But, Let?s Encrypt
requires you update the public DNS used by the domains you are generating certs
for. If you run your own public DNS service (for your Dovecot domains), you
should pick one that has an API for updating the DNS records from a script like
acme.sh or simply write your own custom hook for acme.sh to use.

See this page for all the DNS services that acme.sh supports: 

https://github.com/Neilpang/acme.sh/tree/master/dnsapi
<https://github.com/Neilpang/acme.sh/tree/master/dnsapi>

Kevin