On 19.08.2016 14:12, Aki Tuomi wrote:

Depends how your MUA validates the certificate.

If it just checks CA, then no. Also I don't think the private key changes, so it should not cause recheck either. Other checks, maybe.

Last time I checked, the LetsEncrypt client generated a fresh key pair whenever the user requested a certificate to be renewed, unless the user explicitly opted to use the existing keys (which required some extra configuration). That should not matter much for Dovecot or other IMAP servers, but it is very important for Mail Exchangers when using DANE.

-Ralph

Hi,

On 08/19/2016 03:11 PM, Andreas Meyer wrote:

Certificates from letsencrypt are renewed every three months.

I'm using a Let's Encrypt certificate w/o problems for > 6 months now (three times renewed) for web, SMTP and IMAP. As I'm also using DANE I wrote my own script for also updating the TLSA records. I don't recommend to use the official CertBot client, but use a different one (I use acmetiny; see https://community.letsencrypt.org/t/list-of-client-implementations/2103?u=mr... for a list).

Am 19.08.2016 um 14:40 schrieb Adrian Minta:

The cert doesn't work with old clients.

What do you understand under old?

Ok, Windows XP clients might be problematic regarding SNI and used ciphers, but starting with Vista all clients which use the Windows CryptoAPI and Trust Store are working.

Take Mozilla, there is it supported since Firefox 2.0 (I don't know right now which is the corresponding Thunderbird version, but I expect it to be supported since really early versions).

Java clients are problematic as you need the latest version.

Android works with >= 2.3.6 and iOS iOS >= 3.1.

See https://community.letsencrypt.org/t/which-browsers-and-operating-systems-sup... for a fuller list and feel free to report more working or not working clients, I'll add them there.

MTAs usually don't validate the certificates, so there should be no problem.

-- Best regards, Sven Strickroth PGP key id F5A9D4C4 @ any key-server