dovecot 2.3.x, ECC and wildcard certificates, any issues

Felipe Gasper felipe at felipegasper.com
Tue Jul 31 02:07:13 EEST 2018


Revocation doesn’t remove the certificates; it just marks them as invalid when a TLS client bothers to check.

-FG

> On Jul 30, 2018, at 6:45 PM, David Mehler <dave.mehler at gmail.com> wrote:
> 
> Hello,
> 
> I have discovered what I believe is the issue after hearing back from
> Aquamail. And that is that android 7 which I'm running 7.0 that is,
> only supports up to the p256 ecc curve. This brings up a question to
> users of letsencrypt, when you revoke a certificate does it take it
> out on the usage as well? I've got one domain that says i've issued to
> many certificates for it and no more can be issued, thought I was
> using the staging server. I'd like to get those certs off the
> letsencrypt servers so I can make a new one using the p256 curve. Does
> anyone know if this is doable? Using acme.sh I tried --revoke which
> revoked one cert but letsencrypt still would not let me issue another.
> 
> Thanks.
> Dave.
> 
> 
> On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>> I don't know how to get both RSA and ECC cert from letsencrypt.
>> 
>> Aki
>> 
>>> On 30 July 2018 at 20:43 David Mehler <dave.mehler at gmail.com> wrote:
>>> 
>>> 
>>> Hello,
>>> 
>>> What acme implementation do you use for your letsencrypt certificates?
>>> If it's acme.sh how do you get both rsa and ecc certificates? What
>>> configuration options are you using in your configuration of services
>>> to allow access to both rsa and ecc?
>>> 
>>> Thanks.
>>> Dave.
>>> 
>>> 
>>> On 7/30/18, David Mehler <dave.mehler at gmail.com> wrote:
>>>> Hello,
>>>> 
>>>> The client in question is the latest version of AquaMail running on
>>>> android.
>>>> 
>>>> Thanks.
>>>> Dave.
>>>> 
>>>> 
>>>> On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>>>>> You should, in practice, enable both. This gives best client
>>>>> compability.
>>>>> It
>>>>> is possible you have clients that cannot understand ECC certificates?
>>>>> You
>>>>> can use ssl_alt_cert to provide RSA cert too.
>>>>> 
>>>>> Aki
>>>>> 
>>>>>> On 30 July 2018 at 20:05 David Mehler <dave.mehler at gmail.com> wrote:
>>>>>> 
>>>>>> 
>>>>>> Hi,
>>>>>> 
>>>>>> Thanks, good news is that worked. Bad news is it all looks good which
>>>>>> means I do not know hwhy my remote clients can't get their email,
>>>>>> looked like from the logs it was that.
>>>>>> 
>>>>>> Would 143 be better or 993 for the external clients?
>>>>>> 
>>>>>> Thanks.
>>>>>> Dave.
>>>>>> 
>>>>>> 
>>>>>> On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>>>>>>> 
>>>>>>>> On 30 July 2018 at 19:16 David Mehler <dave.mehler at gmail.com>
>>>>>>>> wrote:
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Hello,
>>>>>>>> 
>>>>>>>> Does dovecot 2.3.x have any issues recognizing or using
>>>>>>>> certificates
>>>>>>>> that are ECC and wildcard? I'm trying to switch my letsencrypt
>>>>>>>> implementation from acme-client which does not support either of
>>>>>>>> those
>>>>>>>> capabilities to acme.sh which does. Since then external clients
>>>>>>>> checking their email has not worked. A manual telnet to
>>>>>>>> mail.example.com 993 gives a connected message but then nothing no
>>>>>>>> greeting or capabilities.
>>>>>>>> 
>>>>>>>> The certificate is for example.com with an alt name of
>>>>>>>> *.example.com
>>>>>>>> if that's not right let me know, i'm not sure about that one,
>>>>>>>> connecting to the web sites of these pages seems noticeably
>>>>>>>> slower,
>>>>>>>> I'm wondering if both of these issues aren't key related?
>>>>>>>> 
>>>>>>>> Thanks.
>>>>>>>> Dave.
>>>>>>> 
>>>>>>> These both should be fine.
>>>>>>> 
>>>>>>> Port 993 is TLS encrypted, you should use openssl s_client -connect
>>>>>>> server:993
>>>>>>> 
>>>>>>> Aki
>>>>>>> 
>>>>> 
>>>> 
>> 



More information about the dovecot mailing list