a question about certificates from letsencrypt

Sven Strickroth sven at cs-ware.de
Fri Aug 19 13:30:45 UTC 2016


Hi,

On 08/19/2016 03:11 PM, Andreas Meyer wrote:
> Certificates from letsencrypt are renewed every three months.

I'm using a Let's Encrypt certificate w/o problems for > 6 months now
(three times renewed) for web, SMTP and IMAP. As I'm also using DANE I
wrote my own script for also updating the TLSA records. I don't
recommend to use the official CertBot client, but use a different one (I
use acmetiny; see
https://community.letsencrypt.org/t/list-of-client-implementations/2103?u=mrtux
for a list).

Am 19.08.2016 um 14:40 schrieb Adrian Minta:
> The cert doesn't work with old clients.

What do you understand under old?

Ok, Windows XP clients might be problematic regarding SNI and used
ciphers, but starting with Vista all clients which use the Windows
CryptoAPI and Trust Store are working.

Take Mozilla, there is it supported since Firefox 2.0 (I don't know
right now which is the corresponding Thunderbird version, but I expect
it to be supported since really early versions).

Java clients are problematic as you need the latest version.

Android works with >= 2.3.6 and iOS iOS >= 3.1.

See
https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394?u=mrtux
for a fuller list and feel free to report more working or not working
clients, I'll add them there.

MTAs usually don't validate the certificates, so there should be no problem.

-- 
Best regards,
 Sven Strickroth
 PGP key id F5A9D4C4 @ any key-server


More information about the dovecot mailing list