dovecot 2.3.x, ECC and wildcard certificates, any issues
Felipe Gasper
felipe at felipegasper.com
Mon Jul 30 20:52:33 EEST 2018
FWIW, it’s relatively straightforward to do this with my Perl ACME implementation, Net::ACME2.
You’ll get your first certificate order using one key, then request another certificate with the other key.
-FG
> On Jul 30, 2018, at 1:49 PM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>
> I don't know how to get both RSA and ECC cert from letsencrypt.
>
> Aki
>
>> On 30 July 2018 at 20:43 David Mehler <dave.mehler at gmail.com> wrote:
>>
>>
>> Hello,
>>
>> What acme implementation do you use for your letsencrypt certificates?
>> If it's acme.sh how do you get both rsa and ecc certificates? What
>> configuration options are you using in your configuration of services
>> to allow access to both rsa and ecc?
>>
>> Thanks.
>> Dave.
>>
>>
>> On 7/30/18, David Mehler <dave.mehler at gmail.com> wrote:
>>> Hello,
>>>
>>> The client in question is the latest version of AquaMail running on
>>> android.
>>>
>>> Thanks.
>>> Dave.
>>>
>>>
>>> On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>>>> You should, in practice, enable both. This gives best client compability.
>>>> It
>>>> is possible you have clients that cannot understand ECC certificates? You
>>>> can use ssl_alt_cert to provide RSA cert too.
>>>>
>>>> Aki
>>>>
>>>>> On 30 July 2018 at 20:05 David Mehler <dave.mehler at gmail.com> wrote:
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> Thanks, good news is that worked. Bad news is it all looks good which
>>>>> means I do not know hwhy my remote clients can't get their email,
>>>>> looked like from the logs it was that.
>>>>>
>>>>> Would 143 be better or 993 for the external clients?
>>>>>
>>>>> Thanks.
>>>>> Dave.
>>>>>
>>>>>
>>>>> On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>>>>>>
>>>>>>> On 30 July 2018 at 19:16 David Mehler <dave.mehler at gmail.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> Does dovecot 2.3.x have any issues recognizing or using certificates
>>>>>>> that are ECC and wildcard? I'm trying to switch my letsencrypt
>>>>>>> implementation from acme-client which does not support either of
>>>>>>> those
>>>>>>> capabilities to acme.sh which does. Since then external clients
>>>>>>> checking their email has not worked. A manual telnet to
>>>>>>> mail.example.com 993 gives a connected message but then nothing no
>>>>>>> greeting or capabilities.
>>>>>>>
>>>>>>> The certificate is for example.com with an alt name of *.example.com
>>>>>>> if that's not right let me know, i'm not sure about that one,
>>>>>>> connecting to the web sites of these pages seems noticeably slower,
>>>>>>> I'm wondering if both of these issues aren't key related?
>>>>>>>
>>>>>>> Thanks.
>>>>>>> Dave.
>>>>>>
>>>>>> These both should be fine.
>>>>>>
>>>>>> Port 993 is TLS encrypted, you should use openssl s_client -connect
>>>>>> server:993
>>>>>>
>>>>>> Aki
>>>>>>
>>>>
>>>
More information about the dovecot
mailing list