is a self signed certificate always invalid the first time

Larry Rosenman larryrtx at gmail.com
Sun Aug 20 20:44:47 EEST 2017


On 8/20/17, 12:33 PM, "dovecot on behalf of Stephan von Krawczynski" <dovecot-bounces at dovecot.org on behalf of skraw at ithnet.com> wrote:

    On Sun, 20 Aug 2017 12:29:49 -0400
    KT Walrus <kevin at my.walr.us> wrote:
    
    > > On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski <skraw at ithnet.com>
    > > wrote:
    > > 
    > > On Sat, 19 Aug 2017 21:39:18 -0400
    > > KT Walrus <kevin at my.walr.us> wrote:
    > >   
    > >>> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski <skraw at ithnet.com>
    > >>> wrote:
    > >>> 
    > >>> On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
    > >>> Joseph Tam <jtam.home at gmail.com> wrote:
    > >>>   
    > >>>> Michael Felt <michael at felt.demon.nl> writes:
    > >>>>   
    > >>>>>> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is
    > >>>>>> written in pure shell script, so no python dependencies.
    > >>>>>> https://github.com/Neilpang/acme.sh      
    > >>>>> 
    > >>>>> Thanks - I might look at that, but as Ralph mentions in his reply -
    > >>>>> Let's encrypt certs are only for three months - never ending
    > >>>>> circus.      
    > >>>> 
    > >>>> I wouldn't characterize it as a circus.  Once you bootstrap your first
    > >>>> certificate and install the cert-renew cron script, it's not something
    > >>>> you have to pay a lot of attention to.  I have a few LE certs in use,
    > >>>> and I don't think about it anymore: it just works.
    > >>>> 
    > >>>> The shorter cert lifetime also helps limit damage if your certificate
    > >>>> gets compromised.
    > >>>> 
    > >>>> Joseph Tam <jtam.home at gmail.com>    
    > >>> 
    > >>> Obviously you do not use clustered environments with more than one node
    > >>> per service.
    > >>> Else you would not call it "it just works", because in fact the renewal
    > >>> is quite big bs as one node must do the job while all the others must be
    > >>> _offline_.
    > >>> 
    > >>> -- 
    > >>> Regards,
    > >>> Stephan    
    > >> 
    > >> I use DNS verification for LE certs. Much better since generating certs
    > >> only depends on access to DNS and not your HTTP servers. Cert generation
    > >> is automatic (on a cron job that runs every night looking for certs that
    > >> are within 30 days of expiration). Once set up, it is pretty much
    > >> automatic. I do use Docker to deploy all services for my website which
    > >> also makes things pretty easy to manage.
    > >> 
    > >> Kevin
    > >>   
    > > 
    > > DNS verification sounds nice only on first glimpse.
    > > If you have a lot of domains and ought to reload your DNS for every
    > > verification of every single domain that does not look like a method with a
    > > small footprint or particularly elegant.  
    > 
    > I don’t understand what you are trying to say. I have over 170 domains that
    > I generate certs for automatically using the acme.sh script. It is all
    > automatic and requires no “reload your DNS” by me. The script just updates
    > the DNS with a record that Let’s Encrypt checks before issuing the
    > certificate. After Let’s Encrypt verifies that you can update the DNS for
    > your domain with the record, the script removes the record.
    > 
    > This actually works much better than HTTP especially for domains like for
    > email servers that don’t have an HTTP server deployed for them.
    > 
    > Kevin
    
    You can't update a record without reloading configs in bind. I guess you are
    using some other DNS service...
    
    -- 
    Regards,
    Stephan
    
Dynamic DNS Updates do it on the fly.

This is how I have acme.sh setup to do it, and my DHCP, et al. 





More information about the dovecot mailing list