I use something like this script to renew my SMTP and IMAP certificates
(/etc/cron.weekly/certbot-renew):
#!/bin/sh
hostcert=/etc/letsencrypt/live/mail.example.com
certlink="$(readlink "${hostcert}/cert.pem")"
test -x /usr/bin/certbot || exit 72
certbot certonly --quiet --standalone
On September 2, 2018 1:12:58 AM GMT+07:00, Rainer Duffner
:
>I’m pretty sure LE creates a new private key, too.
>From a cursory glance at lego’s certificate directory on a server with
>a couple of dozens of LE certificates at least.
>
>After all, changing the private key is what this is all
On Sep 1, 2018, at 12:10 PM, Rainer Duffner wrote:
>
>> Am 01.09.2018 um 12:51 schrieb Pete Biggs :
>>
>> That was until LetsEncrypt comes along - it has the backing of some big
>> names and *IS* an effective business model for small and private
>> customers.
>
> What *is* the business model
On 01.09.2018 20:12, Rainer Duffner wrote:
Am 01.09.2018 um 18:00 schrieb Leon Fauster via CentOS:
Out of curiosity - do you change also the private key every time?
when renewing a certificate the private key should also be changed;
other ways the renewal because of short validity period
Am 01.09.2018 um 20:27 schrieb Valeri Galtsev:
I just checked on my box and confirm that yes, with every renewal of
certificate new key is created. I should realize that fact even before
looking, as it is asymmetric encryption pair, thus the new pair cert+key
is generated (and the cert
On 9/1/18 1:12 PM, Rainer Duffner wrote:
Am 01.09.2018 um 18:00 schrieb Leon Fauster via CentOS :
Out of curiosity - do you change also the private key every time?
I’m pretty sure LE creates a new private key, too.
I just checked on my box and confirm that yes, with every renewal of
> Am 01.09.2018 um 18:00 schrieb Leon Fauster via CentOS :
>
> Out of curiosity - do you change also the private key every time?
I’m pretty sure LE creates a new private key, too.
From a cursory glance at lego’s certificate directory on a server with a couple
of dozens of LE certificates
> Am 01.09.2018 um 12:51 schrieb Pete Biggs :
>
> That was until LetsEncrypt comes along - it has the backing of some big
> names and *IS* an effective business model for small and private
> customers.
What *is* the business model of Let’s Encrypt?
Are they going to issue „Pro“ certificates
Am 01.09.2018 um 02:06 schrieb Warren Young :
>
> I’ve been running some of my domains on Let’s Encrypt for years now, and have
> never had a single user complain to me that my certs are changing too often.
Out of curiosity - do you change also the private key every time?
--
LF
>
> And for other services like IMAP, SMTP, LDAP (maybe not LDAP) constant
> changing certs even with a long lived root may get old for your customers.
Why? I have corporate systems on 2 year commercial CA signed
certificates and personal servers on 90 day LetsEncrypt ones - my users
of IMAP
>
> Your IMAP server can use those files and may then respond to
> requests for IMAP over SSL/TLS on e.g. port 993. Port 143 is for
> unencrypted IMAP, so in that case certificates are not relevant at
> all.
Well, apart from STARTTLS ...
P.
___
>
> so - if you want to get certificates for an imap only server, you will
> have to setup an webserver for the challenge. or deal with your dns server.
>
Having just setup up some LetsEncrypt certificates on a CentOS server:
Certbot automates the process - if you have a webserver running, it
On 31.08.2018 21:31, Michael Schumacher wrote:
certbot works only with ports 80 or 443? Can lego work with with IMAP
ports like 143 or 993? The documentation is not very clear.
in case of other then Webserver you use ACME-DNS
just for a simple ACME client that is capable for ACME-DNS use
On Aug 31, 2018, at 4:42 PM, Robert Moskowitz wrote:
>
> [Let’s Encrypt] is designed for getting web servers quickly into TLS
Yes.
> ...and then to a more stable provider.
[citation wanted]
> If your content is short information, your contacts will never notice that
> you go to a new cert
1 sep 2018 kl. 00:42 skrev Robert Moskowitz :
> On 08/31/2018 05:54 PM, John R. Dennison wrote:
>> On Fri, Aug 31, 2018 at 05:30:53PM -0400, Robert Moskowitz wrote:
>>> Letsencrypt is a very important development, but it has (IMHO) a shaking
>>> foundation. I would not build a production system
On 08/31/2018 05:54 PM, John R. Dennison wrote:
On Fri, Aug 31, 2018 at 05:30:53PM -0400, Robert Moskowitz wrote:
Letsencrypt is a very important development, but it has (IMHO) a shaking
foundation. I would not build a production system around it. But then I
have lived in aspects of PKI
On Fri, Aug 31, 2018 at 05:30:53PM -0400, Robert Moskowitz wrote:
>
> Letsencrypt is a very important development, but it has (IMHO) a shaking
> foundation. I would not build a production system around it. But then I
> have lived in aspects of PKI since '95...
I presume you meant "shaky
On 08/31/2018 01:47 PM, Chuck Campbell wrote:
I am getting myself confused, and need someone who fully understands
this process to help me out a bot.
I would like to obtain an ssl certificate, so I can run my own imap
server on a machine in my office.
My domain is hosted by
Letsencrypt.org has one other thing you should know about, not a biggie,
the certificate is only good for 90 days at a time. Then you need to
renew. But they though about that too, you can automate the renewal, so
that each time the certificate expires and new one is generated and
installed.
At Fri, 31 Aug 2018 21:38:13 +0200 CentOS mailing list
wrote:
>
> On 31.08.2018 21:31, Michael Schumacher wrote:
>
> > certbot works only with ports 80 or 443? Can lego work with with IMAP
> > ports like 143 or 993? The documentation is not very clear.
>
> basically - independent of the
31 aug 2018 kl. 21:38 skrev Ulf Volmer :
> On 31.08.2018 21:31, Michael Schumacher wrote:
>
>> certbot works only with ports 80 or 443? Can lego work with with IMAP
>> ports like 143 or 993? The documentation is not very clear.
>
> basically - independent of the client - letsencrypt will only
31 aug 2018 kl. 21:31 skrev Michael Schumacher :
> Leo,
>
>>> I would like to obtain an ssl certificate, so I can run my own imap server
>>> on a machine in my office.
>>> I am assuming I'll need to pay a CA to generate what I need, but
>>> I'm confused about what I need. I am running dovecot
On 31.08.2018 21:31, Michael Schumacher wrote:
> certbot works only with ports 80 or 443? Can lego work with with IMAP
> ports like 143 or 993? The documentation is not very clear.
basically - independent of the client - letsencrypt will only support
http/https or dns based challenges.
so - if
Leo,
>> I would like to obtain an ssl certificate, so I can run my own imap server
>> on a machine in my office.
>> I am assuming I'll need to pay a CA to generate what I need, but
>> I'm confused about what I need. I am running dovecot at teh moment,
>> but my clients (iphone, windows laptops)
31 aug 2018 kl. 19:47 skrev Chuck Campbell :
> I am getting myself confused, and need someone who fully understands this
> process to help me out a bot.
>
> I would like to obtain an ssl certificate, so I can run my own imap server on
> a machine in my office.
>
> My domain is hosted by
John Doe wrote:
[warn] Invalid signature on CRL
[error] Certificate Verification: Error (8): CRL signature failure
Any relation to this?
https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
I've worked with a lot of ssl stuff in apache but have never
touched CRL before.
Interestingly
From: nate cen...@linuxpowered.net
Any relation to this?
https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
I don't think so; my tests are quite simple:
- Start from clean state (
- Generate CA certificate
- Generate CASSL certificate signed by CA
- Generate Client Certificate
John Doe wrote:
The goal is to be able to distribute client certificates to filter web
access to certain resources.
How about using just basic user names and passwords? Seems a lot
simpler. Client certs can really make things messy and complicated,
I worked with them a bunch several years ago,
On Wed, 4 Nov 2009, John Doe wrote:
already asked in the openssl mailing list, but just in case you already went
through this...
I need a little help with Certificate Revocation Lists.
I did setup client certificates filtering with apache and it seem to work
fine so far (used a tutorial on
29 matches
Mail list logo
