Multiple SSL-Certificates/Domains setup not working
I've tried setting up multiple SSL-Certificates (using letsencrypt) for dovecot on my ubuntu machine. Used dovecot version is 2.2.18.
Regarding to official docs this should be working.
My test-client (Thunderbird on linux) has been mentioned to be working fine with SNI here: https://wiki.dovecot.org/SSL/SNIClientSupport
https://wiki.dovecot.org/SSL/DovecotConfiguration#line-89
local_name imap.example.org { ssl_cert = </etc/ssl/certs/imap.example.org.crt ssl_key = </etc/ssl/private/imap.example.org.key } local_name imap.example2.org { ssl_cert = </etc/ssl/certs/imap.example2.org.crt ssl_key = </etc/ssl/private/imap.example2.org.key }
Did anyone have success on this (without using multiple IP per Domain)?
-- Best regards
Gabriel Kaufmann
I understood that imap.example.org and imap.example2.org are reachable from the Internet via the same IP, right ? In that case just extend the certificate (probably with certbot) with the second domainname. yours sincerely Robert
Am 19. Februar 2018 03:41:18 MEZ schrieb Gabriel Kaufmann <mailings@typoworx.com>:
I've tried setting up multiple SSL-Certificates (using letsencrypt) for
dovecot on my ubuntu machine. Used dovecot version is 2.2.18.
Regarding to official docs this should be working.
My test-client (Thunderbird on linux) has been mentioned to be working fine with SNI here: https://wiki.dovecot.org/SSL/SNIClientSupport
https://wiki.dovecot.org/SSL/DovecotConfiguration#line-89
local_name imap.example.org { ssl_cert = </etc/ssl/certs/imap.example.org.crt ssl_key = </etc/ssl/private/imap.example.org.key } local_name imap.example2.org { ssl_cert = </etc/ssl/certs/imap.example2.org.crt ssl_key = </etc/ssl/private/imap.example2.org.key }
Did anyone have success on this (without using multiple IP per Domain)?
-- Best regards
Gabriel Kaufmann
mit freundlichen Grüßen Ing. Robert Nowotny (von Mobile)
I've tried to create an certbot SAN-Cert with multiple domain-names and this worked like a charm using one cert for all! Thanks!
Best regards
Gabriel Kaufmann
Could you write step by step how you reach the goal?
2018-02-22 15:55 GMT+01:00 Gabriel Kaufmann <mailings@typoworx.com>:
I've tried to create an certbot SAN-Cert with multiple domain-names and this worked like a charm using one cert for all! Thanks!
Best regards
Gabriel Kaufmann
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
I have gone down a similar path. Certbot uses the Lets Encrypt service to manage the needed keys. I have found that using the following Bash tool to manage the creation and validation of the needed certs works great.
<https://github.com/Neilpang/acme.sh>
We deploy Dovecot to AWS, as such we use userdata scripts to execute the above mentioned tool....
pushd /opt/
sudo git clone https://github.com/Neilpang/acme.sh.git
pushd acme.sh
sudo --preserve-env ./acme.sh --install --accountemail domains@<your-domain>.com --certhome /opt/letsencrypt
export AWS_ACCESS_KEY_ID=${LetsEncryptAccessKey}
export AWS_SECRET_ACCESS_KEY=${LetsEncryptSecretKey}
sudo --preserve-env ./acme.sh --issue \
--dns dns_aws \
--dnssleep 60 \
--staging \
-d mail.yourdomain.com
The above commands perform the following...
\- clone the tool
\- setup the tool
\- export API keys (hard to work around this with IAM only applied to the EC2 instance)
\- run the tool using the Lets Encrypt staging endpoints. This is important since Lets Encrypt rate limits their production APIs, and since we deploy to AWS often, we potentially request many certs.
\- the "--dns dns_aws" flag tells the tool to use DNS records to perform the validation of ownership requests from Let Encrypt. TXT records are added, then removed to the Hosted Zone of mail.yourdomain.com.
Upon successful execution of the tool both the ".csr", ".key" and fullchain keys are available for use within Dovecot.
Note: These keys are only valid ~3 months, so this process does need to be maintained. The author of the tool has included a CRON to aid in this.
Hopefully this help others.
On Feb 22 2018, at 10:58 am, Poliman - Serwis <serwis@poliman.pl> wrote:
Could you write step by step how you reach the goal?
2018-02-22 15:55 GMT+01:00 Gabriel Kaufmann <mailings@typoworx.com>:
I've tried to create an certbot SAN-Cert with multiple domain-names and this worked like a charm using one cert for all! Thanks!
Best regards
Gabriel Kaufmann
\--
_Pozdrawiam / Best Regards
_
_Piotr Bracha_
Could you write step by step how you reach the goal?
2018-02-22 15:55 GMT+01:00 Gabriel Kaufmann <mailings@typoworx.com <mailto:mailings@typoworx.com>>:
I've tried to create an certbot SAN-Cert with multiple domain-names and this worked like a charm using one cert for all! Thanks!
Shure :)
At first you should have a working Certbot of course. Setup for this depends on your Server-Setup of course. Certbot requires access due to "standalone-http(s)" mode of certbot or access through apache/nginx/haproxy (works as well if setup correctly). I'm using each of these variants.
Assuming you have a working setup and certbot-services can access your certbot service (running as http/s while certbot is running) the SAN setup is quit easy:
$> certbot -d domain1.com -d domain2.com -d domain3.com
if running in non-standalone mode (running apache/nginx) you can tell Certbot where the auth-tokens are stored to for external domain-approval:
-w /var/www/my-web-root With the syntax given above the SAN-Cert for all given domains is stored in /etc/letsencrypt/live/domain1/
standalone-mode and web-root also can be configured in /etc/letsencrypt/cli.ini (https://community.letsencrypt.org/t/lestencrypt-standalone-cli-ini/43465)
Best regards
Gabriel Kaufmann
participants (4)
-
Gabriel Kaufmann
-
Poliman - Serwis
-
Robert Nowotny
-
Travis Dolan