dovecot 2.3.x, ECC and wildcard certificates, any issues

Tue Jul 31 01:45:23 EEST 2018

Hello,

I have discovered what I believe is the issue after hearing back from
Aquamail. And that is that android 7 which I'm running 7.0 that is,
only supports up to the p256 ecc curve. This brings up a question to
users of letsencrypt, when you revoke a certificate does it take it
out on the usage as well? I've got one domain that says i've issued to
many certificates for it and no more can be issued, thought I was
using the staging server. I'd like to get those certs off the
letsencrypt servers so I can make a new one using the p256 curve. Does
anyone know if this is doable? Using acme.sh I tried --revoke which
revoked one cert but letsencrypt still would not let me issue another.

Thanks.
Dave.

On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> I don't know how to get both RSA and ECC cert from letsencrypt.
>
> Aki
>
>> On 30 July 2018 at 20:43 David Mehler <dave.mehler at gmail.com> wrote:
>>
>>
>> Hello,
>>
>> What acme implementation do you use for your letsencrypt certificates?
>> If it's acme.sh how do you get both rsa and ecc certificates? What
>> configuration options are you using in your configuration of services
>> to allow access to both rsa and ecc?
>>
>> Thanks.
>> Dave.
>>
>>
>> On 7/30/18, David Mehler <dave.mehler at gmail.com> wrote:
>> > Hello,
>> >
>> > The client in question is the latest version of AquaMail running on
>> > android.
>> >
>> > Thanks.
>> > Dave.
>> >
>> >
>> > On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>> >> You should, in practice, enable both. This gives best client
>> >> compability.
>> >> It
>> >> is possible you have clients that cannot understand ECC certificates?
>> >> You
>> >> can use ssl_alt_cert to provide RSA cert too.
>> >>
>> >> Aki
>> >>
>> >>> On 30 July 2018 at 20:05 David Mehler <dave.mehler at gmail.com> wrote:
>> >>>
>> >>>
>> >>> Hi,
>> >>>
>> >>> Thanks, good news is that worked. Bad news is it all looks good which
>> >>> means I do not know hwhy my remote clients can't get their email,
>> >>> looked like from the logs it was that.
>> >>>
>> >>> Would 143 be better or 993 for the external clients?
>> >>>
>> >>> Thanks.
>> >>> Dave.
>> >>>
>> >>>
>> >>> On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>> >>> >
>> >>> >> On 30 July 2018 at 19:16 David Mehler <dave.mehler at gmail.com>
>> >>> >> wrote:
>> >>> >>
>> >>> >>
>> >>> >> Hello,
>> >>> >>
>> >>> >> Does dovecot 2.3.x have any issues recognizing or using
>> >>> >> certificates
>> >>> >> that are ECC and wildcard? I'm trying to switch my letsencrypt
>> >>> >> implementation from acme-client which does not support either of
>> >>> >> those
>> >>> >> capabilities to acme.sh which does. Since then external clients
>> >>> >> checking their email has not worked. A manual telnet to
>> >>> >> mail.example.com 993 gives a connected message but then nothing no
>> >>> >> greeting or capabilities.
>> >>> >>
>> >>> >> The certificate is for example.com with an alt name of
>> >>> >> *.example.com
>> >>> >> if that's not right let me know, i'm not sure about that one,
>> >>> >> connecting to the web sites of these pages seems noticeably
>> >>> >> slower,
>> >>> >> I'm wondering if both of these issues aren't key related?
>> >>> >>
>> >>> >> Thanks.
>> >>> >> Dave.
>> >>> >
>> >>> > These both should be fine.
>> >>> >
>> >>> > Port 993 is TLS encrypted, you should use openssl s_client -connect
>> >>> > server:993
>> >>> >
>> >>> > Aki
>> >>> >
>> >>
>> >
>