What is the best way to adopt multiple certs? Thanks.
On 2019-09-07 12:25, remo--- via dovecot wrote:> What is the best way to adopt multiple certs? > > Thanks./etc/dovecot/conf.d/10-ssl.conf Primary SSL certificate: # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> #ssl = yes ssl = required ("yes" or "required" - I use required) # Minimum SSL protocol version to use. Potentially recognized values are SSLv3, # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used. ssl_min_protocol = TLSv1 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert = </etc/ssl/private/mail-domain-tld.crt ssl_key = </etc/ssl/private/mail-domain-tld.key Secondary SSL certificates (I add this at the bottom of the file) local_name mail.domain2.tld { ssl_cert = </etc/ssl/private/mail-domain2-tld.crt ssl_key = </etc/ssl/private/mail-domain2-tld.key }
Thanks Michael I will check with the free cert lets encrypt to test it. Remo> Il giorno 7 set 2019, alle ore 02:09, Michael Hallager via dovecot <dovecot at dovecot.org> ha scritto: > > ?On 2019-09-07 12:25, remo--- via dovecot wrote: >> What is the best way to adopt multiple certs? >> Thanks. > > /etc/dovecot/conf.d/10-ssl.conf > > Primary SSL certificate: > > # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> > #ssl = yes > ssl = required > > ("yes" or "required" - I use required) > > # Minimum SSL protocol version to use. Potentially recognized values are SSLv3, > # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used. > ssl_min_protocol = TLSv1 > > # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before > # dropping root privileges, so keep the key file unreadable by anyone but > # root. Included doc/mkcert.sh can be used to easily generate self-signed > # certificate, just make sure to update the domains in dovecot-openssl.cnf > ssl_cert = </etc/ssl/private/mail-domain-tld.crt > ssl_key = </etc/ssl/private/mail-domain-tld.key > > Secondary SSL certificates (I add this at the bottom of the file) > > local_name mail.domain2.tld { > > ssl_cert = </etc/ssl/private/mail-domain2-tld.crt > ssl_key = </etc/ssl/private/mail-domain2-tld.key > > }
On Fri, 2019-09-06 at 17:25 -0700, remo--- via dovecot wrote:> What is the best way to adopt multiple certs?I have a setup that creates letsencrypt certs for each customer domain. To automate this I have the following at the end of conf.d/10-ssl.conf !include ssl.d/*.conf This includes any .conf file under conf.d/ssl.d Now it is a simple matter to add and remove certificates for each domain as the letsencrypt job runs. Each config file looks like this $cat ssl.d/somedomain_co_za.conf local_name imap.somedomain.co.za { ssl_cert = </etc/pki/tls/certs/somedomain_co_za+chain-crt.pem ssl_key = </etc/pki/tls/private/somedomain_co_za-key.pem } YMMV. -- Greg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: <https://dovecot.org/pipermail/dovecot/attachments/20190910/6bef28fd/attachment.sig>
Hi This is for all dovecot version ? On 10.09.2019 08:05, Greg Wildman via dovecot wrote:> On Fri, 2019-09-06 at 17:25 -0700, remo--- via dovecot wrote: >> What is the best way to adopt multiple certs? > I have a setup that creates letsencrypt certs for each customer domain. > To automate this I have the following at the end of conf.d/10-ssl.conf > > !include ssl.d/*.conf > > This includes any .conf file under conf.d/ssl.d > > Now it is a simple matter to add and remove certificates for each > domain as the letsencrypt job runs. Each config file looks like this > > $cat ssl.d/somedomain_co_za.conf > local_name imap.somedomain.co.za { > ssl_cert = </etc/pki/tls/certs/somedomain_co_za+chain-crt.pem > ssl_key = </etc/pki/tls/private/somedomain_co_za-key.pem > } > > > YMMV. >-- Maciej Mi?aszewski Starszy Administrator Systemowy IQ PL Sp. z o.o. Biuro Obs?ugi Klienta: e-mail: bok at iq.pl tel.: +48 58 326 09 90 - 94 fax: +48 58 326 09 99 Dzia? pomocy: https://www.iq.pl/pomoc Informacja dotycz?ca przetwarzania danych osobowych: https://www.iq.pl/kontakt IQ PL Sp. z o.o. z siedzib? w Gda?sku (80-298), ul. Geodet?w 16, KRS 0000007725, S?d rejestrowy: S?d Rejonowy w Gda?sku VII Wydzia? KRS, kapita? zak?adowy: 140.000 PLN, NIP 5832736211, REGON 192478853 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20190910/d82941e8/attachment-0001.sig>