On 2017-03-03 19:07, David Mehler wrote:
Hello,
I know some users here are using letsencrypt for their CA. If this is to off topic write me privately.
I'm wanting letsencrypt to take over as my CA, replacing existing self signed certificates. I've got web working, a certificate for https sites and one for webmail as they have different names. What I'm now wanting to do is get letsencrypt going for my email setup, the smtp handled by postfix, but mail, and imap I believe are handled by dovecot.
With the web it was easy just let apache serve the token that letsencrypt needed and I got certificates. How do I do this with regards email?
You can use certbot. It has a built in webserver. It allows you to retrieve and renew the certificates automatically. I'm using it for Dovecot and Postfix.
I'm doing everything with the following command:
certbot/certbot-auto certonly --no-self-upgrade --standalone -n --rsa-key-size 4096 -d domain1.example.com -d domain2.example.com --pre-hook scripts/letsencrypt-pre-hook.sh --post-hook scripts/letsencrypt-post-hook.sh
With the pre-hook and post-hook scripts I make sure to open and close the firewall on port 443, and to reload Postfix and Dovecot in case a certificate was update.
You can find all information about the flags that I'm using at https://certbot.eff.org/docs/using.html
Michael