You can also setup web server to handle auth for particular domain or use certbot's standalone auth, but in that case, 80 or 443 port must be free to allow certbot's temporary web server to run on that port.

-- KSB

On 2017.03.03. 20:08, Larry Rosenman wrote:

I have DNS setup as my auth, and use nsupdate to let it get the token.

On 3/3/17, 12:07 PM, "dovecot on behalf of David Mehler" wrote:

Hello,

I know some users here are using letsencrypt for their CA. If this is
to off topic write me privately.

I'm wanting letsencrypt to take over as my CA, replacing existing self
signed certificates. I've got web working, a certificate for https
sites and one for webmail as they have different names. What I'm now
wanting to do is get letsencrypt going for my email setup, the smtp
handled by postfix, but mail, and imap I believe are handled by
dovecot.

With the web it was easy just let apache serve the token that
letsencrypt needed and I got certificates. How do I do this with
regards email?

I hope that's clear.

Any help appreciated.

Thanks.
Dave.

Hello,

Thanks. Is there another way of doing this? I've got a web server running on 80 and 443. Are there any other options?

Thanks. Dave.

On 3/3/17, Michael Neurohr mine@michi.su wrote:

On 2017-03-03 19:07, David Mehler wrote:

...

Hello,

I know some users here are using letsencrypt for their CA. If this is to off topic write me privately.

I'm wanting letsencrypt to take over as my CA, replacing existing self signed certificates. I've got web working, a certificate for https sites and one for webmail as they have different names. What I'm now wanting to do is get letsencrypt going for my email setup, the smtp handled by postfix, but mail, and imap I believe are handled by dovecot.

With the web it was easy just let apache serve the token that letsencrypt needed and I got certificates. How do I do this with regards email?

You can use certbot. It has a built in webserver. It allows you to retrieve and renew the certificates automatically. I'm using it for Dovecot and Postfix.

See https://certbot.eff.org/

I'm doing everything with the following command:

certbot/certbot-auto certonly --no-self-upgrade --standalone -n --rsa-key-size 4096 -d domain1.example.com -d domain2.example.com --pre-hook scripts/letsencrypt-pre-hook.sh --post-hook scripts/letsencrypt-post-hook.sh

With the pre-hook and post-hook scripts I make sure to open and close the firewall on port 443, and to reload Postfix and Dovecot in case a certificate was update.

You can find all information about the flags that I'm using at https://certbot.eff.org/docs/using.html

Michael

Hello, Have you considered running getssl bash script? It is well documented, self-updates automatically, supports https, imaps, pop3s, ... and can push validation tokens to your web server using rsync, ftp, ... See https://github.com/srvrco/getssl/blob/master/README.md Cheers

On 03/03/2017 08:22 PM, David Mehler wrote:

Hello,

Thanks. Is there another way of doing this? I've got a web server running on 80 and 443. Are there any other options?

Thanks. Dave.

On 3/3/17, Michael Neurohr mine@michi.su wrote:

...

On 2017-03-03 19:07, David Mehler wrote:

...

Hello,

I know some users here are using letsencrypt for their CA. If this is to off topic write me privately.

I'm wanting letsencrypt to take over as my CA, replacing existing self signed certificates. I've got web working, a certificate for https sites and one for webmail as they have different names. What I'm now wanting to do is get letsencrypt going for my email setup, the smtp handled by postfix, but mail, and imap I believe are handled by dovecot.

With the web it was easy just let apache serve the token that letsencrypt needed and I got certificates. How do I do this with regards email? You can use certbot. It has a built in webserver. It allows you to retrieve and renew the certificates automatically. I'm using it for Dovecot and Postfix.

See https://certbot.eff.org/

I'm doing everything with the following command:

certbot/certbot-auto certonly --no-self-upgrade --standalone -n --rsa-key-size 4096 -d domain1.example.com -d domain2.example.com --pre-hook scripts/letsencrypt-pre-hook.sh --post-hook scripts/letsencrypt-post-hook.sh

With the pre-hook and post-hook scripts I make sure to open and close the firewall on port 443, and to reload Postfix and Dovecot in case a certificate was update.

You can find all information about the flags that I'm using at https://certbot.eff.org/docs/using.html

Michael