is a self signed certificate always invalid the first time

Richard Hector richard at walnut.gen.nz
Sun Aug 20 03:26:21 EEST 2017


On 18/08/17 20:05, Stephan von Krawczynski wrote:
> On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
> Joseph Tam <jtam.home at gmail.com> wrote:
> 
>> Michael Felt <michael at felt.demon.nl> writes:
>>
>>>> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is
>>>> written in pure shell script, so no python dependencies.
>>>> https://github.com/Neilpang/acme.sh  
>>>
>>> Thanks - I might look at that, but as Ralph mentions in his reply -
>>> Let's encrypt certs are only for three months - never ending circus.  
>>
>> I wouldn't characterize it as a circus.  Once you bootstrap your first
>> certificate and install the cert-renew cron script, it's not something
>> you have to pay a lot of attention to.  I have a few LE certs in use,
>> and I don't think about it anymore: it just works.
>>
>> The shorter cert lifetime also helps limit damage if your certificate
>> gets compromised.
>>
>> Joseph Tam <jtam.home at gmail.com>
> 
> Obviously you do not use clustered environments with more than one node per
> service.
> Else you would not call it "it just works", because in fact the renewal is
> quite big bs as one node must do the job while all the others must be
> _offline_.
> 

Couldn't the others just proxy to the one, for the .well-known
directory? They can continue serving up the rest of the site fine, surely?

I've worked with clusters, and with LE/certbot, but not yet both together.

Richard



More information about the dovecot mailing list