20 Aug
2017
20 Aug
'17
8:44 p.m.
On 8/20/17, 12:33 PM, "dovecot on behalf of Stephan von Krawczynski" <dovecot-bounces@dovecot.org on behalf of skraw@ithnet.com> wrote:
On Sun, 20 Aug 2017 12:29:49 -0400
KT Walrus <kevin@my.walr.us> wrote:
> > On Aug 20, 2017, at 11:52 AM, Stephan von Krawczynski <skraw@ithnet.com>
> > wrote:
> >
> > On Sat, 19 Aug 2017 21:39:18 -0400
> > KT Walrus <kevin@my.walr.us> wrote:
> >
> >>> On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski <skraw@ithnet.com>
> >>> wrote:
> >>>
> >>> On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
> >>> Joseph Tam <jtam.home@gmail.com> wrote:
> >>>
> >>>> Michael Felt <michael@felt.demon.nl> writes:
> >>>>
> >>>>>> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is
> >>>>>> written in pure shell script, so no python dependencies.
> >>>>>> https://github.com/Neilpang/acme.sh
> >>>>>
> >>>>> Thanks - I might look at that, but as Ralph mentions in his reply -
> >>>>> Let's encrypt certs are only for three months - never ending
> >>>>> circus.
> >>>>
> >>>> I wouldn't characterize it as a circus. Once you bootstrap your first
> >>>> certificate and install the cert-renew cron script, it's not something
> >>>> you have to pay a lot of attention to. I have a few LE certs in use,
> >>>> and I don't think about it anymore: it just works.
> >>>>
> >>>> The shorter cert lifetime also helps limit damage if your certificate
> >>>> gets compromised.
> >>>>
> >>>> Joseph Tam <jtam.home@gmail.com>
> >>>
> >>> Obviously you do not use clustered environments with more than one node
> >>> per service.
> >>> Else you would not call it "it just works", because in fact the renewal
> >>> is quite big bs as one node must do the job while all the others must be
> >>> _offline_.
> >>>
> >>> --
> >>> Regards,
> >>> Stephan
> >>
> >> I use DNS verification for LE certs. Much better since generating certs
> >> only depends on access to DNS and not your HTTP servers. Cert generation
> >> is automatic (on a cron job that runs every night looking for certs that
> >> are within 30 days of expiration). Once set up, it is pretty much
> >> automatic. I do use Docker to deploy all services for my website which
> >> also makes things pretty easy to manage.
> >>
> >> Kevin
> >>
> >
> > DNS verification sounds nice only on first glimpse.
> > If you have a lot of domains and ought to reload your DNS for every
> > verification of every single domain that does not look like a method with a
> > small footprint or particularly elegant.
>
> I don’t understand what you are trying to say. I have over 170 domains that
> I generate certs for automatically using the acme.sh script. It is all
> automatic and requires no “reload your DNS” by me. The script just updates
> the DNS with a record that Let’s Encrypt checks before issuing the
> certificate. After Let’s Encrypt verifies that you can update the DNS for
> your domain with the record, the script removes the record.
>
> This actually works much better than HTTP especially for domains like for
> email servers that don’t have an HTTP server deployed for them.
>
> Kevin
You can't update a record without reloading configs in bind. I guess you are
using some other DNS service...
--
Regards,
Stephan
Dynamic DNS Updates do it on the fly.
This is how I have acme.sh setup to do it, and my DHCP, et al.