dovecot 2.3.x, ECC and wildcard certificates, any issues

Felipe Gasper felipe at felipegasper.com
Mon Jul 30 20:52:33 EEST 2018 

FWIW, it’s relatively straightforward to do this with my Perl ACME implementation, Net::ACME2.

You’ll get your first certificate order using one key, then request another certificate with the other key.

-FG

> On Jul 30, 2018, at 1:49 PM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> 
> I don't know how to get both RSA and ECC cert from letsencrypt.
> 
> Aki
> 
>> On 30 July 2018 at 20:43 David Mehler <dave.mehler at gmail.com> wrote:
>> 
>> 
>> Hello,
>> 
>> What acme implementation do you use for your letsencrypt certificates?
>> If it's acme.sh how do you get both rsa and ecc certificates? What
>> configuration options are you using in your configuration of services
>> to allow access to both rsa and ecc?
>> 
>> Thanks.
>> Dave.
>> 
>> 
>> On 7/30/18, David Mehler <dave.mehler at gmail.com> wrote:
>>> Hello,
>>> 
>>> The client in question is the latest version of AquaMail running on
>>> android.
>>> 
>>> Thanks.
>>> Dave.
>>> 
>>> 
>>> On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>>>> You should, in practice, enable both. This gives best client compability.
>>>> It
>>>> is possible you have clients that cannot understand ECC certificates? You
>>>> can use ssl_alt_cert to provide RSA cert too.
>>>> 
>>>> Aki
>>>> 
>>>>> On 30 July 2018 at 20:05 David Mehler <dave.mehler at gmail.com> wrote:
>>>>> 
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> Thanks, good news is that worked. Bad news is it all looks good which
>>>>> means I do not know hwhy my remote clients can't get their email,
>>>>> looked like from the logs it was that.
>>>>> 
>>>>> Would 143 be better or 993 for the external clients?
>>>>> 
>>>>> Thanks.
>>>>> Dave.
>>>>> 
>>>>> 
>>>>> On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>>>>>> 
>>>>>>> On 30 July 2018 at 19:16 David Mehler <dave.mehler at gmail.com> wrote:
>>>>>>> 
>>>>>>> 
>>>>>>> Hello,
>>>>>>> 
>>>>>>> Does dovecot 2.3.x have any issues recognizing or using certificates
>>>>>>> that are ECC and wildcard? I'm trying to switch my letsencrypt
>>>>>>> implementation from acme-client which does not support either of
>>>>>>> those
>>>>>>> capabilities to acme.sh which does. Since then external clients
>>>>>>> checking their email has not worked. A manual telnet to
>>>>>>> mail.example.com 993 gives a connected message but then nothing no
>>>>>>> greeting or capabilities.
>>>>>>> 
>>>>>>> The certificate is for example.com with an alt name of *.example.com
>>>>>>> if that's not right let me know, i'm not sure about that one,
>>>>>>> connecting to the web sites of these pages seems noticeably slower,
>>>>>>> I'm wondering if both of these issues aren't key related?
>>>>>>> 
>>>>>>> Thanks.
>>>>>>> Dave.
>>>>>> 
>>>>>> These both should be fine.
>>>>>> 
>>>>>> Port 993 is TLS encrypted, you should use openssl s_client -connect
>>>>>> server:993
>>>>>> 
>>>>>> Aki
>>>>>> 
>>>> 
>>>

More information about the dovecot mailing list