I have gone down a similar path. Certbot uses the Lets Encrypt service to
manage the needed keys. I have found that using the following Bash tool to
manage the creation and validation of the needed certs works great.


We deploy Dovecot to AWS, as such we use userdata scripts to execute the above
mentioned tool....

    pushd /opt/  
    sudo git clone https://github.com/Neilpang/acme.sh.git  
    pushd acme.sh  
    sudo --preserve-env ./acme.sh --install --accountemail 
domains@<your-domain>.com --certhome /opt/letsencrypt  
    export AWS_ACCESS_KEY_ID=${LetsEncryptAccessKey}  
    export AWS_SECRET_ACCESS_KEY=${LetsEncryptSecretKey}  
    sudo --preserve-env ./acme.sh --issue \  
    --dns dns_aws \  
    --dnssleep 60 \  
    --staging \  
    -d mail.yourdomain.com

The above commands perform the following...

\- clone the tool

\- setup the tool

\- export API keys (hard to work around this with IAM only applied to the EC2

\- run the tool using the Lets Encrypt staging endpoints. This is important
since Lets Encrypt rate limits their production APIs, and since we deploy to
AWS often, we potentially request many certs.

\- the "--dns dns_aws" flag tells the tool to use DNS records to perform the
validation of ownership requests from Let Encrypt. TXT records are added, then
removed to the Hosted Zone of mail.yourdomain.com.

Upon successful execution of the tool both the ".csr", ".key" and fullchain
keys are available for use within Dovecot.

Note: These keys are only valid ~3 months, so this process does need to be
maintained. The author of the tool has included a CRON to aid in this.

Hopefully this help others.

On Feb 22 2018, at 10:58 am, Poliman - Serwis <ser...@poliman.pl> wrote:  

> Could you write step by step how you reach the goal?  




> 2018-02-22 15:55 GMT+01:00 Gabriel Kaufmann


>> I've tried to create an certbot SAN-Cert with multiple domain-names and
this worked like a charm using one cert for all! Thanks!



>>     Best regards

>>     Gabriel Kaufmann




> _Pozdrawiam / Best Regards  


> _Piotr Bracha_  

Reply via email to