I have gone down a similar path. Certbot uses the Lets Encrypt service to manage the needed keys. I have found that using the following Bash tool to manage the creation and validation of the needed certs works great.
https://github.com/Neilpang/acme.sh
We deploy Dovecot to AWS, as such we use userdata scripts to execute the above mentioned tool....
pushd /opt/
sudo git clone https://github.com/Neilpang/acme.sh.git
pushd acme.sh
sudo --preserve-env ./acme.sh --install --accountemail domains@<your-domain>.com --certhome /opt/letsencrypt
export AWS_ACCESS_KEY_ID=${LetsEncryptAccessKey}
export AWS_SECRET_ACCESS_KEY=${LetsEncryptSecretKey}
sudo --preserve-env ./acme.sh --issue \
--dns dns_aws \
--dnssleep 60 \
--staging \
-d mail.yourdomain.com
The above commands perform the following...
\- clone the tool
\- setup the tool
\- export API keys (hard to work around this with IAM only applied to the EC2 instance)
\- run the tool using the Lets Encrypt staging endpoints. This is important since Lets Encrypt rate limits their production APIs, and since we deploy to AWS often, we potentially request many certs.
\- the "--dns dns_aws" flag tells the tool to use DNS records to perform the validation of ownership requests from Let Encrypt. TXT records are added, then removed to the Hosted Zone of mail.yourdomain.com.
Upon successful execution of the tool both the ".csr", ".key" and fullchain keys are available for use within Dovecot.
Note: These keys are only valid ~3 months, so this process does need to be maintained. The author of the tool has included a CRON to aid in this.
Hopefully this help others.
On Feb 22 2018, at 10:58 am, Poliman - Serwis serwis@poliman.pl wrote:
Could you write step by step how you reach the goal?
2018-02-22 15:55 GMT+01:00 Gabriel Kaufmann <mailings@typoworx.com>:
I've tried to create an certbot SAN-Cert with multiple domain-names and this worked like a charm using one cert for all! Thanks!
Best regards
Gabriel Kaufmann
\--
_Pozdrawiam / Best Regards
_
_Piotr Bracha_