is a self signed certificate always invalid the first time

Ralph Seichter m16+dovecot at monksofcool.net
Sun Aug 20 22:59:35 EEST 2017


On 20.08.2017 19:50, KT Walrus wrote:

> I use Cloudflare (free DNS) and DNS Made Easy (paid DNS). I would never
> run my own DNS service except for communicating between my Docker
> services internally

I run my own nameservers for various reasons, not the least of them
being DNSSEC. My zones' signing keys never leave my hands.

> If you run your own public DNS service (for your Dovecot domains), you
> should pick one that has an API for updating the DNS records from a
> script like acme.sh or simply write your own custom hook for acme.sh
> to use.

Nameservers like BIND or Unbound can use text based config files (zone
files), which can be generated on the fly with scripts. Add "rndc
reload" to the mix, and changes can be made instantaneously, without any
special APIs.

What can be a bother is when TTL values are set too high and changes in
the zones take too long to propagate, but that's a general issue, and
when running your own nameservers you can set these values as low as you
require.

-Ralph

P.S.: All this sure is interesting, but way off-topic in regards to
Dovecot. ;-)


More information about the dovecot mailing list