Re: is a self signed certificate always invalid the first time

I already have bind setup to allow DHCP to update. Sometimes I need to tweak things so I use nsupdate. No 'rndc reload' required. nsupdate.txt: delete Zeratul.lan.example.com A send delete 90.6.168.192.in-addr.arpa PTR send add Zeratul.lan.example.com 902 A 192.168.6.89 send add

Re: is a self signed certificate always invalid the first time

On 20.08.2017 19:50, KT Walrus wrote: > I use Cloudflare (free DNS) and DNS Made Easy (paid DNS). I would never > run my own DNS service except for communicating between my Docker > services internally I run my own nameservers for various reasons, not the least of them being DNSSEC. My zones'

Re: is a self signed certificate always invalid the first time

> On Aug 20, 2017, at 1:32 PM, Stephan von Krawczynski wrote: > > On Sun, 20 Aug 2017 12:29:49 -0400 > KT Walrus wrote: > >>> On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski >>> wrote: >>> >>> On Sat, 19 Aug 2017 21:39:18 -0400 >>>

Re: is a self signed certificate always invalid the first time

On 8/20/17, 12:33 PM, "dovecot on behalf of Stephan von Krawczynski" wrote: On Sun, 20 Aug 2017 12:29:49 -0400 KT Walrus wrote: > > On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski

Re: is a self signed certificate always invalid the first time

On Sun, 20 Aug 2017 12:29:49 -0400 KT Walrus wrote: > > On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski > > wrote: > > > > On Sat, 19 Aug 2017 21:39:18 -0400 > > KT Walrus wrote: > > > >>> On Aug 18, 2017, at 4:05 AM, Stephan von

Re: is a self signed certificate always invalid the first time

> On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski > wrote: > > On Sat, 19 Aug 2017 21:39:18 -0400 > KT Walrus wrote: > >>> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski >>> wrote: >>> >>> On Fri, 18 Aug 2017 00:24:39 -0700

Re: is a self signed certificate always invalid the first time

On Sat, 19 Aug 2017 21:39:18 -0400 KT Walrus wrote: > > On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski > > wrote: > > > > On Fri, 18 Aug 2017 00:24:39 -0700 (PDT) > > Joseph Tam wrote: > > > >> Michael Felt

Re: is a self signed certificate always invalid the first time

> On Aug 20, 2017, at 3:20 AM, Felix Zielcke wrote: > > Am Samstag, den 19.08.2017, 21:39 -0400 schrieb KT Walrus: >> >> I use DNS verification for LE certs. Much better since generating >> certs only depends on access to DNS and not your HTTP servers. Cert >> generation is

Re: is a self signed certificate always invalid the first time

Hi Felix, I use getssl, which is a bash script, for LE certs. For certs on one server I use http, for the other DNS. The DNS method depends on your DNS provider. Many providers have an API for updating DNS. getssl provides scripts for a small number of popular providers. Acme.sh provides a

Re: is a self signed certificate always invalid the first time

Am Samstag, den 19.08.2017, 21:39 -0400 schrieb KT Walrus: > > I use DNS verification for LE certs. Much better since generating > certs only depends on access to DNS and not your HTTP servers. Cert > generation is automatic (on a cron job that runs every night looking > for certs that are within

Re: is a self signed certificate always invalid the first time

On 08/19/2017 09:39 PM, KT Walrus wrote: > I use DNS verification for LE certs. what is that? -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT -

Re: is a self signed certificate always invalid the first time

> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski wrote: > > On Fri, 18 Aug 2017 00:24:39 -0700 (PDT) > Joseph Tam wrote: > >> Michael Felt writes: >> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is

Re: is a self signed certificate always invalid the first time

On 18/08/17 20:05, Stephan von Krawczynski wrote: > On Fri, 18 Aug 2017 00:24:39 -0700 (PDT) > Joseph Tam wrote: > >> Michael Felt writes: >> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is written in pure shell script, so

Re: is a self signed certificate always invalid the first time?

On 18.08.2017 09:12, voy...@sbt.net.au wrote: > for a public web server where https is becoming mandatory, I'd still > need a certificate from a recognized publisher, to avoid users geting > 'warnings', is that so ? For a certificate to be reported as "valid", an unbroken chain of cryptographic

Re: is a self signed certificate always invalid the first time?

On 18.08.2017 08:58, Michael Felt wrote: > as Ralph mentions in his reply - Let's encrypt certs are only for > three months - never ending circus. I don't consider the 90-day-lifespan a "circus". It is meant as a security feature[1], and Let's Encrypt suggests using automation for certificate

Re: is a self signed certificate always invalid the first time?

On 18/08/2017 17:12, voy...@sbt.net.au wrote: > BUT, for a public web server where https is becoming mandatory, I'd still > need a certificate from a recognized publisher, to avoid users geting > 'warnings', is that so ? > > (I'm currently using self issued for both mail and web) > > thanks, >

Re: is a self signed certificate always invalid the first time

Obviously you do not use clustered environments with more than one node per service. Else you would not call it "it just works", because in fact the renewal is quite big bs as one node must do the job while all the others must be _offline_. I'm not sure how you have set up your clustered

Re: is a self signed certificate always invalid the first time?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 18 Aug 2017, voy...@sbt.net.au wrote: BUT, for a public web server where https is becoming mandatory, I'd still need a certificate from a recognized publisher, to avoid users geting 'warnings', is that so ? As Michael wrote already, it's

Re: is a self signed certificate always invalid the first time

On Fri, 18 Aug 2017 00:24:39 -0700 (PDT) Joseph Tam wrote: > Michael Felt writes: > > >> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is > >> written in pure shell script, so no python dependencies. > >>

Re: is a self signed certificate always invalid the first time?

On 8/18/2017 9:12 AM, voy...@sbt.net.au wrote: On Fri, August 18, 2017 5:02 pm, Michael Felt wrote: On 8/11/2017 1:29 PM, Ralph Seichter wrote: And, Ralph, I salute you. I have never been able to be disciplined enough to be my own CA. I encourage you to look into the subject again. I

Re: is a self signed certificate always invalid the first time

Michael Felt writes: I use acme.sh for all of my LetsEncrypt certs (web & mail), it is written in pure shell script, so no python dependencies. https://github.com/Neilpang/acme.sh Thanks - I might look at that, but as Ralph mentions in his reply - Let's encrypt certs

Re: is a self signed certificate always invalid the first time?

On Fri, August 18, 2017 5:02 pm, Michael Felt wrote: > On 8/11/2017 1:29 PM, Ralph Seichter wrote: >>> And, Ralph, I salute you. I have never been able to be disciplined >>> enough to be my own CA. >> I encourage you to look into the subject again. >> > I actually have been, which is why I could

Re: is a self signed certificate always invalid the first time?

On 8/11/2017 1:29 PM, Ralph Seichter wrote: On 11.08.2017 11:36, Michael Felt wrote: This is what Ralph means when he says "have been running a CA for 15+ years" - not that he is (though he could!) sell certificates commercially - rather, he is using an initial certificate to sign later

Re: is a self signed certificate always invalid the first time?

On 8/11/2017 11:44 AM, Florian Beer wrote: On 2017-08-11 11:36, Michael Felt wrote: I have looked at let's encrypt. Key issue for me is having to add a lot python stuff that would otherwise not be on any server. I use acme.sh for all of my LetsEncrypt certs (web & mail), it is written in

Re: is a self signed certificate always invalid the first time?

Am 11. August 2017 12:46:46 MESZ schrieb Ruben Safir : >On 08/10/2017 04:41 PM, Frank-Ulrich Sommer wrote: >> I can't see any security advantages of a self signed cert. I > >then you fail to understand the history, like when Microsoft's certs >were undermined because the

Re: is a self signed certificate always invalid the first time?

On 11.08.2017 11:36, Michael Felt wrote: > This is what Ralph means when he says "have been running a CA for > 15+ years" - not that he is (though he could!) sell certificates > commercially - rather, he is using an initial certificate to sign > later certificates with. Actually, I do sell

Re: is a self signed certificate always invalid the first time?

On 08/10/2017 04:41 PM, Frank-Ulrich Sommer wrote: > add security exceptions this rings all alarm bells. no, but software vendors will have you believe that. Sorry, I don't leave my house keys with strangers -- So many immigrant groups have swept through our town that Brooklyn, like

Re: is a self signed certificate always invalid the first time?

On 08/10/2017 04:41 PM, Frank-Ulrich Sommer wrote: > I can't see any security advantages of a self signed cert. I then you fail to understand the history, like when Microsoft's certs were undermined because the third party authentication agency gave the keys to 2 guys that knocked on the door and

Re: is a self signed certificate always invalid the first time?

On 2017-08-11 11:36, Michael Felt wrote: I have looked at let's encrypt. Key issue for me is having to add a lot python stuff that would otherwise not be on any server. I use acme.sh for all of my LetsEncrypt certs (web & mail), it is written in pure shell script, so no python dependencies.

Re: is a self signed certificate always invalid the first time?

I have looked at let's encrypt. Key issue for me is having to add a lot python stuff that would otherwise not be on any server. Again, All CA's like "Let's Encrypt" - and others that are accepted by the "majors", e.g., Windows, Mozilla make it much easier for the "random" user to use

Re: is a self signed certificate always invalid the first time?

Having gone through the process to get "approved" certificates a few times, I don't believe it would be all that difficult to get a certificate with your domain name from several of the "approved" certificate authorities. The process some of them use to "certify" the applicant is pretty easy

Re: is a self signed certificate always invalid the first time?

I can't see any security advantages of a self signed cert. If the keypair is generated locally (which it should) a certificate signed by an external CA can't be worse just by the additional signature of the external CA. Better security can only be gained if all users are urged to remove all

Re: is a self signed certificate always invalid the first time?

On Thu, 10 Aug 2017 07:53:16 -0700 Gregory Sloop wrote: > [...] > Clearly there *are* issues with trusted CA's. But they also offer some value > you can't get with a self-signed cert - especially to people who would > connect to your servers, but who have no real relationship

Re: is a self signed certificate always invalid the first time?

SvK> On Wed, 9 Aug 2017 08:39:30 -0700 SvK> Gregory Sloop wrote: >> AV> So i’m using dovecot, and i created a self signed certificate >> AV> with mkcert.sh based on dovecot-openssl.cnf. The name in there matches >> AV> my mail server. >> AV> The first time it connects in

Re: is a self signed certificate always invalid the first time?

I just need my internal users to download their mail, right now it's not something I'm terribly worried about. I'm just glad I got it all working so far :-) Once I do my apache to SSL as well I'll probably get paid certificates or one letsencrypt certificate for all. Sent from my iPhone > On

Re: is a self signed certificate always invalid the first time?

On 10.08.2017 09:18, Stephan von Krawczynski wrote: > It would be far better to use a self-signed certificate that can be > checked through some instance/host set inside your domain. I have been running a CA for 15+ years, generating certificates only for servers I personally maintain. Since my

Re: is a self signed certificate always invalid the first time?

I completely agree (having said that I'm pretty new to all this so I might be full of it). You should run your own CA if you have an active financial interest in your company (say your the owner). No added benefit to have your certificate certified by a third party, why would they care about

Re: is a self signed certificate always invalid the first time?

On Wed, 9 Aug 2017 08:39:30 -0700 Gregory Sloop wrote: > AV> So i’m using dovecot, and i created a self signed certificate > AV> with mkcert.sh based on dovecot-openssl.cnf. The name in there matches > AV> my mail server. > > AV> The first time it connects in mac mail

Re: is a self signed certificate always invalid the first time?

Great, i’ll try that out. > On 9 Aug 2017, at 17:20, Larry Rosenman wrote: > > Yes, yes, and yes. > > This is what I do for https://webmail.lerctr.org, imap.lerctr.org, > smtp.lerctr.org, et al. > > > -- > Larry Rosenman http://www.lerctr.org/~ler >

Re: is a self signed certificate always invalid the first time?

Thank you Ralph. I’ll have a look around myself first, don’t want others to waste their time on my homework. Sorry for some reason i get replies from every individual , so when i reply it sends it to both. I would expect replies to come from dovecot@dovecot.org as well. I will strip the

Re: is a self signed certificate always invalid the first time?

On 09.08.2017 18:18, Alef Veld wrote: > Anyone know of any manual, or can I just replace the certs in the > dovecot and postfix locations with theirs? Do dovecot, postfix and > apache all support .pem format? Google "dovecot letsencrypt" is your friend. ;-) If you have questions about details,

Re: is a self signed certificate always invalid the first time?

Yes, yes, and yes. This is what I do for https://webmail.lerctr.org, imap.lerctr.org, smtp.lerctr.org, et al. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: larry...@gmail.com US Mail: 5708 Sabbia Drive, Round Rock, TX

Re: is a self signed certificate always invalid the first time?

Cheers Remko and Ralph. I think there was some mention in the lets encrypt FAQ that certbot doesn't do email. But I understand I can use their generated very for dovecot, postfix and https? That would be good indeed. Anyone know of any manual, or can I just replace the certs in the dovecot and

Re: is a self signed certificate always invalid the first time?

On 09.08.2017 17:49, Alef Veld wrote: > I think let’s encrypt uses certbot though and it can’t do email > certificates (although i’m sure i can convert the cert i get from > let’s encrypt, i’ll look into it. I'm not sure what you mean by "can’t do email certificates"? In any case, Let's Encrypt

Re: is a self signed certificate always invalid the first time?

Alef, Certbot creates regular certificates that can be used by dovecot to get a “validated” connection to the mailserver. You obviously need to do the certbot walk to gain the certificate, but if you have it, you can use it for dovecot. Just refer to it in the configuration and you should be

Re: is a self signed certificate always invalid the first time?

Thanks Ralph, i’ll look into that. I think let’s encrypt uses certbot though and it can’t do email certificates (although i’m sure i can convert the cert i get from let’s encrypt, i’ll look into it. > On 9 Aug 2017, at 16:40, Ralph Seichter wrote: > > On

Re: is a self signed certificate always invalid the first time?

Thanks Greg, that makes total sense. Appreciate your reply. On 9 Aug 2017, at 16:39, Gregory Sloop > wrote: AV> So i’m using dovecot, and i created a self signed certificate AV> with mkcert.sh based on dovecot-openssl.cnf. The name in there matches my

Re: is a self signed certificate always invalid the first time?

AV> So i’m using dovecot, and i created a self signed certificate AV> with mkcert.sh based on dovecot-openssl.cnf. The name in there matches my mail server. AV> The first time it connects in mac mail however, it says the AV> certificate is invalid and another server might pretend to be me etc.

Re: is a self signed certificate always invalid the first time?

On 09.08.2017 17:20, Alef Veld wrote: > So i’m using dovecot, and i created a self signed certificate with > mkcert.sh based on dovecot-openssl.cnf. The name in there matches my > mail server. > > The first time it connects in mac mail however, it says the certificate > is invalid and another