Re: Permission denied to access the email file

[Aki Tuomi]

On 17.08.2017 13:43, ATHANASE Jean-René wrote:
> Hi,
>
> Dovecot version : 2.2.22 (fe789d2)
> Operating system :
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=16.04
> DISTRIB_CODENAME=xenial
> DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"
> CPU architecture : Linux 4.4.67-1-pve #1 SMP PVE 4.4.67-92 (Fri, 23
> Jun 2017 08:22:06 +0200) x86_64 GNU/Linux
> FIle system : local
>
> UIDGID
> Aug 17 11:47:28 azizee dovecot: imap(jra11[*5063*:*5011*]): Debug:
> Effective uid=5063, gid=5011, home=/var/spool/domaines/vitalnet/jra/
> Aug 17 11:47:28 azizee dovecot: imap(jra11[5063:5011]): Debug:
> Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no,
> list=yes, subscriptions=yes
> location=maildir:/var/spool/domaines/vitalnet/jra/
> Aug 17 11:47:28 azizee dovecot: imap(jra11[5063:5011]): Debug:
> maildir++: root=/var/spool/domaines/vitalnet/jra, index=, indexpvt=,
> control=, inbox=/var/spool/domaines/vitalnet/jra, alt=
> Aug 17 11:47:28 azizee dovecot: imap(jra11[5063:5011]): *Error*:
> open(/var/spool/domaines/vitalnet/jra/cur/1502890181.V704I34050fM371072.azizee:2,)
> failed: *Permission denied* (euid=*5063*()
> egid=*5011*() missing +r perm:
> /var/spool/domaines/vitalnet/jra/cur/1502890181.V704I34050fM371072.azizee:2,)
>
> Ldap configuration :
>   user_attrs =
> uid=user,userPassword=password,homeDirectory=home,uidNumber=uid,gidNumber=gid
>
> ll
> /var/spool/domaines/vitalnet/jra/cur/1502890181.V704I34050fM371072.azizee\:2\,
> -rw--- 1 5095 5011 438 Aug 16 15:29
> /var/spool/domaines/vitalnet/jra/cur/1502890181.V704I34050fM371072.azizee:2,
>
>
> If I set with the command line "chmod g=rw
> /var/spool/domaines/vitalnet/jra/cur/1502890181.V704I34050fM371072.azizee\:2\,",
> this file email is treated by Dovecot, per example, i have deleted it.
>
> ll
> /var/spool/domaines/vitalnet/jra/cur/1502890181.V704I34050fM371072.azizee\:2\,ST
>
> -rw-rw 1 5095 5011 438 Aug 16 15:29
> /var/spool/domaines/vitalnet/jra/cur/1502890181.V704I34050fM371072.azizee:2,ST
>
> What's the problem of my configuration ?
>
> Best regards,

For some reason that file lacks read-permissions for 5063:5011 (which
come from ldap). Your file shows that it's lacking UID 5063. Why is it
owned by 5095? Did you change them?

Aki

Re: pop 110/995, imap 143/993 ?

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 21 Aug 2017, voy...@sbt.net.au wrote:


1. I've set the server with self issued cert, and both pop/imap
StartTLS/110/143 SSL/993/995 (apologies if I'm using wrong naming
terminology)


That's fine.

- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBWZp0pnz1H7kL/d9rAQIHfgf+Jj+y5Tm2h+13bI3qdsMTo5Yih6fCJlUl
pK5Gunj1o4TNKVDQFq4xa0GUTs5G9+uWyfCiOyIwe8GH6auMxmOKqGTScwjdjRxg
FVbmzxrLEB1XLoSCVpnuyoCIDZHTBJNdLBWvABBSnSDGV9ZusDvb0/5TzaEoFhlE
kLrSj+wGiBMGlAaYoVAECy0oIakzCvV6InSk/c3A09RlwKUxypCdUqYXM01Eba1j
EavikirKdL1YYMe7tXhsuomiA4gk9wSpDTzHhQgvZyTrESsrnFgm2rI+6Hnir8Iz
cT8C9evkLQVYj8gNqXiTYadj2rutG5G9lotvMlQLcnobpFynvRf7hw==
=T5a0
-END PGP SIGNATURE-

Re: ot: self certified enduser browser/mail client install?

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 21 Aug 2017, voy...@sbt.net.au wrote:


in order for end user to avoid webmail warnings or email client warnings,
do I make this file /etc/pki/dovecot/certs/dovecot.pem available to users
say under httpd://webhost/tld/certificate/dovecot.pem


Most likely yes. It should work regardless if the cert is self-signed or 
not.


However, you could try to find the upper-most cert by running

openssl x509 -in /etc/pki/dovecot/certs/dovecot.pem -noout -text|less

Check out the Issuer and Subject near the top of the outout:

Signature Algorithm: sha256WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, 
CN=dovecot.example.com/emailAddress=m...@example.com
Validity
Not Before: Aug 21 05:36:49 2017 GMT
Not After : Aug 21 05:36:49 2018 GMT
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, 
CN=dovecot.example.com/emailAddress=m...@example.com

If both are the same, it's the correct one. Then you really have a 
self-signed certificate. Otherwise hunt for the "issuer" cert and hand 
that your users. That would be your CA cert.


- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBWZp0Tnz1H7kL/d9rAQJcIQf/ZwxUQPbiTEyQyPfyE+Xk/4AVrvgV7C3s
lBqeIfNT54UDlu8p7kzNRau1Kmt+nTwQWsLYBY5hlZmZ51RI0p1UbnKufNT3MBAZ
hOS0QdSvC6ZU2MzQb0tXRAIEP/dCWu1HlQSi/ov9Fp4UlYg5DsnQee9xwWucyIZb
a5nBKonHvaTJpj3YHYKVZojx215uFOFzOJ928khof7KwEqXmTEmTQ+bdLtTHVFWr
JSIdez3j1lUOpAmAgG05tAgGfwdArfx3DpVY8tIAEj5rRpZ4nfEM/lvPDndrzP0I
ovWb7FQDJrnv7t8YO8u3AxUQYUC/lHYtMzq4s9Dgm2LFEC3z9rbOoA==
=6qb8
-END PGP SIGNATURE-

Re: ot: self certified enduser browser/mail client install?

[Christian Kivalo]

Am 21. August 2017 01:37:26 MESZ schrieb voy...@sbt.net.au:
>I have self certified Dovecot as so:
>
>ssl = required
>ssl_cert = ssl_key = userdb {
>  args = /etc/dovecot/dovecot-mysql.conf
>  driver = sql
>}
>
>in order for end user to avoid webmail warnings or email client
>warnings,
>do I make this file /etc/pki/dovecot/certs/dovecot.pem available to
>users
>say under httpd://webhost/tld/certificate/dovecot.pem
>
>and, tell users to import dovecot.pem (from
>/etc/pki/dovecot/certs/dovecot.pem) into their PC/browser/mailclient
>certs?
>
>(sorry for dumb Q, but I thought I should ask before I commit some
>fundamental stuffup)
You would publish the ca cert to your users, thats the one you used to sign 
your cert. 
-- 
Christian Kivalo

Re: is a self signed certificate always invalid the first time

[Bill Shirley]

I already have bind setup to allow DHCP to update.  Sometimes I need to
tweak things so I use nsupdate.  No 'rndc reload' required.
nsupdate.txt:
delete Zeratul.lan.example.com A
send
delete 90.6.168.192.in-addr.arpa PTR
send
add Zeratul.lan.example.com 902 A 192.168.6.89
send
add 89.6.168.192.in-addr.arpa 902 PTR Zeratul.lan.example.com
send
Command:
nsupdate -k /etc/named/DHCP_UPDATER.key nsupdate.txt

This could be used for a TXT record.

Bill

On 8/20/2017 3:59 PM, Ralph Seichter wrote:

On 20.08.2017 19:50, KT Walrus wrote:


I use Cloudflare (free DNS) and DNS Made Easy (paid DNS). I would never
run my own DNS service except for communicating between my Docker
services internally

I run my own nameservers for various reasons, not the least of them
being DNSSEC. My zones' signing keys never leave my hands.


If you run your own public DNS service (for your Dovecot domains), you
should pick one that has an API for updating the DNS records from a
script like acme.sh or simply write your own custom hook for acme.sh
to use.

Nameservers like BIND or Unbound can use text based config files (zone
files), which can be generated on the fly with scripts. Add "rndc
reload" to the mix, and changes can be made instantaneously, without any
special APIs.

What can be a bother is when TTL values are set too high and changes in
the zones take too long to propagate, but that's a general issue, and
when running your own nameservers you can set these values as low as you
require.

-Ralph

P.S.: All this sure is interesting, but way off-topic in regards to
Dovecot. ;-)

ot: self certified enduser browser/mail client install?

[voytek]

I have self certified Dovecot as so:

ssl = required
ssl_cert = 

pop 110/995, imap 143/993 ?

[voytek]

just setting a new Dovecot server to migrate from older system, but, I
have a general question:

1. I've set the server with self issued cert, and both pop/imap
StartTLS/110/143 SSL/993/995 (apologies if I'm using wrong naming
terminology)

is there a 'preferred way'?  should I tell users to use 143 over 993 ? or
993 over 143? or?

my current understanding is that some (MS?) clients might not support
StartTLS/143 ? so best to offer both ?

I think? some public WiFi block 993/995 but allow 143/110, hence, another
advantage for using 143/110

thanks for any advice,

V

Re: is a self signed certificate always invalid the first time

[Ralph Seichter]

On 20.08.2017 19:50, KT Walrus wrote:

> I use Cloudflare (free DNS) and DNS Made Easy (paid DNS). I would never
> run my own DNS service except for communicating between my Docker
> services internally

I run my own nameservers for various reasons, not the least of them
being DNSSEC. My zones' signing keys never leave my hands.

> If you run your own public DNS service (for your Dovecot domains), you
> should pick one that has an API for updating the DNS records from a
> script like acme.sh or simply write your own custom hook for acme.sh
> to use.

Nameservers like BIND or Unbound can use text based config files (zone
files), which can be generated on the fly with scripts. Add "rndc
reload" to the mix, and changes can be made instantaneously, without any
special APIs.

What can be a bother is when TTL values are set too high and changes in
the zones take too long to propagate, but that's a general issue, and
when running your own nameservers you can set these values as low as you
require.

-Ralph

P.S.: All this sure is interesting, but way off-topic in regards to
Dovecot. ;-)

Re: is a self signed certificate always invalid the first time

[KT Walrus]

> On Aug 20, 2017, at 1:32 PM, Stephan von Krawczynski  wrote:
> 
> On Sun, 20 Aug 2017 12:29:49 -0400
> KT Walrus  wrote:
> 
>>> On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski 
>>> wrote:
>>> 
>>> On Sat, 19 Aug 2017 21:39:18 -0400
>>> KT Walrus  wrote:
>>> 
> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski 
> wrote:
> 
> On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
> Joseph Tam  wrote:
> 
>> Michael Felt  writes:
>> 
 I use acme.sh for all of my LetsEncrypt certs (web & mail), it is
 written in pure shell script, so no python dependencies.
 https://github.com/Neilpang/acme.sh  
>>> 
>>> Thanks - I might look at that, but as Ralph mentions in his reply -
>>> Let's encrypt certs are only for three months - never ending
>>> circus.  
>> 
>> I wouldn't characterize it as a circus.  Once you bootstrap your first
>> certificate and install the cert-renew cron script, it's not something
>> you have to pay a lot of attention to.  I have a few LE certs in use,
>> and I don't think about it anymore: it just works.
>> 
>> The shorter cert lifetime also helps limit damage if your certificate
>> gets compromised.
>> 
>> Joseph Tam 
> 
> Obviously you do not use clustered environments with more than one node
> per service.
> Else you would not call it "it just works", because in fact the renewal
> is quite big bs as one node must do the job while all the others must be
> _offline_.
> 
> -- 
> Regards,
> Stephan
 
 I use DNS verification for LE certs. Much better since generating certs
 only depends on access to DNS and not your HTTP servers. Cert generation
 is automatic (on a cron job that runs every night looking for certs that
 are within 30 days of expiration). Once set up, it is pretty much
 automatic. I do use Docker to deploy all services for my website which
 also makes things pretty easy to manage.
 
 Kevin
 
>>> 
>>> DNS verification sounds nice only on first glimpse.
>>> If you have a lot of domains and ought to reload your DNS for every
>>> verification of every single domain that does not look like a method with a
>>> small footprint or particularly elegant.  
>> 
>> I don’t understand what you are trying to say. I have over 170 domains that
>> I generate certs for automatically using the acme.sh script. It is all
>> automatic and requires no “reload your DNS” by me. The script just updates
>> the DNS with a record that Let’s Encrypt checks before issuing the
>> certificate. After Let’s Encrypt verifies that you can update the DNS for
>> your domain with the record, the script removes the record.
>> 
>> This actually works much better than HTTP especially for domains like for
>> email servers that don’t have an HTTP server deployed for them.
>> 
>> Kevin
> 

> You can't update a record without reloading configs in bind. I guess you are
> using some other DNS service...

I use Cloudflare (free DNS) and DNS Made Easy (paid DNS). I would never run my 
own DNS service except for communicating between my Docker services internally 
(Docker has its own internal DNS for this and there are many pre-built docker 
images to provide a public DNS service, if required). But, Let’s Encrypt 
requires you update the public DNS used by the domains you are generating certs 
for. If you run your own public DNS service (for your Dovecot domains), you 
should pick one that has an API for updating the DNS records from a script like 
acme.sh or simply write your own custom hook for acme.sh to use.

See this page for all the DNS services that acme.sh supports: 

https://github.com/Neilpang/acme.sh/tree/master/dnsapi 


Kevin

Re: is a self signed certificate always invalid the first time

[Larry Rosenman]

On 8/20/17, 12:33 PM, "dovecot on behalf of Stephan von Krawczynski" 
 wrote:

On Sun, 20 Aug 2017 12:29:49 -0400
KT Walrus  wrote:

> > On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski 
> > wrote:
> > 
> > On Sat, 19 Aug 2017 21:39:18 -0400
> > KT Walrus  wrote:
> >   
> >>> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski 

> >>> wrote:
> >>> 
> >>> On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
> >>> Joseph Tam  wrote:
> >>>   
>  Michael Felt  writes:
>    
> >> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is
> >> written in pure shell script, so no python dependencies.
> >> https://github.com/Neilpang/acme.sh  
> > 
> > Thanks - I might look at that, but as Ralph mentions in his reply -
> > Let's encrypt certs are only for three months - never ending
> > circus.  
>  
>  I wouldn't characterize it as a circus.  Once you bootstrap your 
first
>  certificate and install the cert-renew cron script, it's not 
something
>  you have to pay a lot of attention to.  I have a few LE certs in use,
>  and I don't think about it anymore: it just works.
>  
>  The shorter cert lifetime also helps limit damage if your certificate
>  gets compromised.
>  
>  Joseph Tam 
> >>> 
> >>> Obviously you do not use clustered environments with more than one 
node
> >>> per service.
> >>> Else you would not call it "it just works", because in fact the 
renewal
> >>> is quite big bs as one node must do the job while all the others must 
be
> >>> _offline_.
> >>> 
> >>> -- 
> >>> Regards,
> >>> Stephan
> >> 
> >> I use DNS verification for LE certs. Much better since generating certs
> >> only depends on access to DNS and not your HTTP servers. Cert 
generation
> >> is automatic (on a cron job that runs every night looking for certs 
that
> >> are within 30 days of expiration). Once set up, it is pretty much
> >> automatic. I do use Docker to deploy all services for my website which
> >> also makes things pretty easy to manage.
> >> 
> >> Kevin
> >>   
> > 
> > DNS verification sounds nice only on first glimpse.
> > If you have a lot of domains and ought to reload your DNS for every
> > verification of every single domain that does not look like a method 
with a
> > small footprint or particularly elegant.  
> 
> I don’t understand what you are trying to say. I have over 170 domains 
that
> I generate certs for automatically using the acme.sh script. It is all
> automatic and requires no “reload your DNS” by me. The script just updates
> the DNS with a record that Let’s Encrypt checks before issuing the
> certificate. After Let’s Encrypt verifies that you can update the DNS for
> your domain with the record, the script removes the record.
> 
> This actually works much better than HTTP especially for domains like for
> email servers that don’t have an HTTP server deployed for them.
> 
> Kevin

You can't update a record without reloading configs in bind. I guess you are
using some other DNS service...

-- 
Regards,
Stephan

Dynamic DNS Updates do it on the fly.

This is how I have acme.sh setup to do it, and my DHCP, et al. 

Re: is a self signed certificate always invalid the first time

[Stephan von Krawczynski]

On Sun, 20 Aug 2017 12:29:49 -0400
KT Walrus  wrote:

> > On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski 
> > wrote:
> > 
> > On Sat, 19 Aug 2017 21:39:18 -0400
> > KT Walrus  wrote:
> >   
> >>> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski 
> >>> wrote:
> >>> 
> >>> On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
> >>> Joseph Tam  wrote:
> >>>   
>  Michael Felt  writes:
>    
> >> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is
> >> written in pure shell script, so no python dependencies.
> >> https://github.com/Neilpang/acme.sh  
> > 
> > Thanks - I might look at that, but as Ralph mentions in his reply -
> > Let's encrypt certs are only for three months - never ending
> > circus.  
>  
>  I wouldn't characterize it as a circus.  Once you bootstrap your first
>  certificate and install the cert-renew cron script, it's not something
>  you have to pay a lot of attention to.  I have a few LE certs in use,
>  and I don't think about it anymore: it just works.
>  
>  The shorter cert lifetime also helps limit damage if your certificate
>  gets compromised.
>  
>  Joseph Tam 
> >>> 
> >>> Obviously you do not use clustered environments with more than one node
> >>> per service.
> >>> Else you would not call it "it just works", because in fact the renewal
> >>> is quite big bs as one node must do the job while all the others must be
> >>> _offline_.
> >>> 
> >>> -- 
> >>> Regards,
> >>> Stephan
> >> 
> >> I use DNS verification for LE certs. Much better since generating certs
> >> only depends on access to DNS and not your HTTP servers. Cert generation
> >> is automatic (on a cron job that runs every night looking for certs that
> >> are within 30 days of expiration). Once set up, it is pretty much
> >> automatic. I do use Docker to deploy all services for my website which
> >> also makes things pretty easy to manage.
> >> 
> >> Kevin
> >>   
> > 
> > DNS verification sounds nice only on first glimpse.
> > If you have a lot of domains and ought to reload your DNS for every
> > verification of every single domain that does not look like a method with a
> > small footprint or particularly elegant.  
> 
> I don’t understand what you are trying to say. I have over 170 domains that
> I generate certs for automatically using the acme.sh script. It is all
> automatic and requires no “reload your DNS” by me. The script just updates
> the DNS with a record that Let’s Encrypt checks before issuing the
> certificate. After Let’s Encrypt verifies that you can update the DNS for
> your domain with the record, the script removes the record.
> 
> This actually works much better than HTTP especially for domains like for
> email servers that don’t have an HTTP server deployed for them.
> 
> Kevin

You can't update a record without reloading configs in bind. I guess you are
using some other DNS service...

-- 
Regards,
Stephan

Re: is a self signed certificate always invalid the first time

[KT Walrus]

> On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski  
> wrote:
> 
> On Sat, 19 Aug 2017 21:39:18 -0400
> KT Walrus  wrote:
> 
>>> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski 
>>> wrote:
>>> 
>>> On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
>>> Joseph Tam  wrote:
>>> 
 Michael Felt  writes:
 
>> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is
>> written in pure shell script, so no python dependencies.
>> https://github.com/Neilpang/acme.sh
> 
> Thanks - I might look at that, but as Ralph mentions in his reply -
> Let's encrypt certs are only for three months - never ending circus.
 
 I wouldn't characterize it as a circus.  Once you bootstrap your first
 certificate and install the cert-renew cron script, it's not something
 you have to pay a lot of attention to.  I have a few LE certs in use,
 and I don't think about it anymore: it just works.
 
 The shorter cert lifetime also helps limit damage if your certificate
 gets compromised.
 
 Joseph Tam   
>>> 
>>> Obviously you do not use clustered environments with more than one node per
>>> service.
>>> Else you would not call it "it just works", because in fact the renewal is
>>> quite big bs as one node must do the job while all the others must be
>>> _offline_.
>>> 
>>> -- 
>>> Regards,
>>> Stephan  
>> 
>> I use DNS verification for LE certs. Much better since generating certs only
>> depends on access to DNS and not your HTTP servers. Cert generation is
>> automatic (on a cron job that runs every night looking for certs that are
>> within 30 days of expiration). Once set up, it is pretty much automatic. I
>> do use Docker to deploy all services for my website which also makes things
>> pretty easy to manage.
>> 
>> Kevin
>> 
> 
> DNS verification sounds nice only on first glimpse.
> If you have a lot of domains and ought to reload your DNS for every
> verification of every single domain that does not look like a method with a
> small footprint or particularly elegant.

I don’t understand what you are trying to say. I have over 170 domains that I 
generate certs for automatically using the acme.sh script. It is all automatic 
and requires no “reload your DNS” by me. The script just updates the DNS with a 
record that Let’s Encrypt checks before issuing the certificate. After Let’s 
Encrypt verifies that you can update the DNS for your domain with the record, 
the script removes the record.

This actually works much better than HTTP especially for domains like for email 
servers that don’t have an HTTP server deployed for them.

Kevin

Re: is a self signed certificate always invalid the first time

[Stephan von Krawczynski]

On Sat, 19 Aug 2017 21:39:18 -0400
KT Walrus  wrote:

> > On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski 
> > wrote:
> > 
> > On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
> > Joseph Tam  wrote:
> >   
> >> Michael Felt  writes:
> >>   
>  I use acme.sh for all of my LetsEncrypt certs (web & mail), it is
>  written in pure shell script, so no python dependencies.
>  https://github.com/Neilpang/acme.sh
> >>> 
> >>> Thanks - I might look at that, but as Ralph mentions in his reply -
> >>> Let's encrypt certs are only for three months - never ending circus.
> >> 
> >> I wouldn't characterize it as a circus.  Once you bootstrap your first
> >> certificate and install the cert-renew cron script, it's not something
> >> you have to pay a lot of attention to.  I have a few LE certs in use,
> >> and I don't think about it anymore: it just works.
> >> 
> >> The shorter cert lifetime also helps limit damage if your certificate
> >> gets compromised.
> >> 
> >> Joseph Tam   
> > 
> > Obviously you do not use clustered environments with more than one node per
> > service.
> > Else you would not call it "it just works", because in fact the renewal is
> > quite big bs as one node must do the job while all the others must be
> > _offline_.
> > 
> > -- 
> > Regards,
> > Stephan  
> 
> I use DNS verification for LE certs. Much better since generating certs only
> depends on access to DNS and not your HTTP servers. Cert generation is
> automatic (on a cron job that runs every night looking for certs that are
> within 30 days of expiration). Once set up, it is pretty much automatic. I
> do use Docker to deploy all services for my website which also makes things
> pretty easy to manage.
> 
> Kevin
> 

DNS verification sounds nice only on first glimpse.
If you have a lot of domains and ought to reload your DNS for every
verification of every single domain that does not look like a method with a
small footprint or particularly elegant.

-- 
Regards,
Stephan

Re: is a self signed certificate always invalid the first time

[KT Walrus]

> On Aug 20, 2017, at 3:20 AM, Felix Zielcke  wrote:
> 
> Am Samstag, den 19.08.2017, 21:39 -0400 schrieb KT Walrus:
>> 
>> I use DNS verification for LE certs. Much better since generating
>> certs only depends on access to DNS and not your HTTP servers. Cert
>> generation is automatic (on a cron job that runs every night looking
>> for certs that are within 30 days of expiration). Once set up, it is
>> pretty much automatic. I do use Docker to deploy all services for my
>> website which also makes things pretty easy to manage.
>> 
>> Kevin
> 
> Hi Kevin,
> 
> what software do you use for DNS based verification? I read with the
> official certbot from LE it's not possible to do this fully automated.
> Currently I use the http based method, but would like to switch to DNS
> based.
> 
> Greetings
> Felix

I use the acme.sh script: https://github.com/Neilpang/acme.sh 


The author supports running this script automatically with the docker image 
neilpang/acme.sh.

Kevin

Re: is a self signed certificate always invalid the first time

[Peter West]

Hi Felix,

I use getssl, which is a bash script, for LE certs.  For certs on one server I 
use http, for the other DNS.

The DNS method depends on your DNS provider.  Many providers have an API for 
updating DNS. getssl provides scripts for a small number of popular providers. 
Acme.sh provides a greater range of DNS provider APIs.

I added my own linode dns scripts in preference to those provided by getssl.  
Linode’s 15 minute DNS update delay has to be accounted for.

--
Peter West
p...@pbw.id.au
“My soul magnifies the Lord…”

> On 20 Aug 2017, at 5:20 pm, Felix Zielcke  wrote:
> 
> Am Samstag, den 19.08.2017, 21:39 -0400 schrieb KT Walrus:
>> 
>> I use DNS verification for LE certs. Much better since generating
>> certs only depends on access to DNS and not your HTTP servers. Cert
>> generation is automatic (on a cron job that runs every night looking
>> for certs that are within 30 days of expiration). Once set up, it is
>> pretty much automatic. I do use Docker to deploy all services for my
>> website which also makes things pretty easy to manage.
>> 
>> Kevin
> 
> Hi Kevin,
> 
> what software do you use for DNS based verification? I read with the
> official certbot from LE it's not possible to do this fully automated.
> Currently I use the http based method, but would like to switch to DNS
> based.
> 
> Greetings
> Felix





signature.asc
Description: Message signed with OpenPGP

Re: is a self signed certificate always invalid the first time

[Felix Zielcke]

Am Samstag, den 19.08.2017, 21:39 -0400 schrieb KT Walrus:
> 
> I use DNS verification for LE certs. Much better since generating
> certs only depends on access to DNS and not your HTTP servers. Cert
> generation is automatic (on a cron job that runs every night looking
> for certs that are within 30 days of expiration). Once set up, it is
> pretty much automatic. I do use Docker to deploy all services for my
> website which also makes things pretty easy to manage.
> 
> Kevin

Hi Kevin,

what software do you use for DNS based verification? I read with the
official certbot from LE it's not possible to do this fully automated.
Currently I use the http based method, but would like to switch to DNS
based.

Greetings
Felix