is a self signed certificate always invalid the first time

Stephan von Krawczynski skraw at ithnet.com
Sun Aug 20 18:52:13 EEST 2017


On Sat, 19 Aug 2017 21:39:18 -0400
KT Walrus <kevin at my.walr.us> wrote:

> > On Aug 18, 2017, at 4:05 AM, Stephan von Krawczynski <skraw at ithnet.com>
> > wrote:
> > 
> > On Fri, 18 Aug 2017 00:24:39 -0700 (PDT)
> > Joseph Tam <jtam.home at gmail.com> wrote:
> >   
> >> Michael Felt <michael at felt.demon.nl> writes:
> >>   
> >>>> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is
> >>>> written in pure shell script, so no python dependencies.
> >>>> https://github.com/Neilpang/acme.sh    
> >>> 
> >>> Thanks - I might look at that, but as Ralph mentions in his reply -
> >>> Let's encrypt certs are only for three months - never ending circus.    
> >> 
> >> I wouldn't characterize it as a circus.  Once you bootstrap your first
> >> certificate and install the cert-renew cron script, it's not something
> >> you have to pay a lot of attention to.  I have a few LE certs in use,
> >> and I don't think about it anymore: it just works.
> >> 
> >> The shorter cert lifetime also helps limit damage if your certificate
> >> gets compromised.
> >> 
> >> Joseph Tam <jtam.home at gmail.com>  
> > 
> > Obviously you do not use clustered environments with more than one node per
> > service.
> > Else you would not call it "it just works", because in fact the renewal is
> > quite big bs as one node must do the job while all the others must be
> > _offline_.
> > 
> > -- 
> > Regards,
> > Stephan  
> 
> I use DNS verification for LE certs. Much better since generating certs only
> depends on access to DNS and not your HTTP servers. Cert generation is
> automatic (on a cron job that runs every night looking for certs that are
> within 30 days of expiration). Once set up, it is pretty much automatic. I
> do use Docker to deploy all services for my website which also makes things
> pretty easy to manage.
> 
> Kevin
> 

DNS verification sounds nice only on first glimpse.
If you have a lot of domains and ought to reload your DNS for every
verification of every single domain that does not look like a method with a
small footprint or particularly elegant.

-- 
Regards,
Stephan


More information about the dovecot mailing list