dovecot 2.3.x, ECC and wildcard certificates, any issues
Felipe Gasper
felipe at felipegasper.com
Tue Jul 31 02:07:13 EEST 2018
Revocation doesn’t remove the certificates; it just marks them as invalid when a TLS client bothers to check.
-FG
> On Jul 30, 2018, at 6:45 PM, David Mehler <dave.mehler at gmail.com> wrote:
>
> Hello,
>
> I have discovered what I believe is the issue after hearing back from
> Aquamail. And that is that android 7 which I'm running 7.0 that is,
> only supports up to the p256 ecc curve. This brings up a question to
> users of letsencrypt, when you revoke a certificate does it take it
> out on the usage as well? I've got one domain that says i've issued to
> many certificates for it and no more can be issued, thought I was
> using the staging server. I'd like to get those certs off the
> letsencrypt servers so I can make a new one using the p256 curve. Does
> anyone know if this is doable? Using acme.sh I tried --revoke which
> revoked one cert but letsencrypt still would not let me issue another.
>
> Thanks.
> Dave.
>
>
> On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>> I don't know how to get both RSA and ECC cert from letsencrypt.
>>
>> Aki
>>
>>> On 30 July 2018 at 20:43 David Mehler <dave.mehler at gmail.com> wrote:
>>>
>>>
>>> Hello,
>>>
>>> What acme implementation do you use for your letsencrypt certificates?
>>> If it's acme.sh how do you get both rsa and ecc certificates? What
>>> configuration options are you using in your configuration of services
>>> to allow access to both rsa and ecc?
>>>
>>> Thanks.
>>> Dave.
>>>
>>>
>>> On 7/30/18, David Mehler <dave.mehler at gmail.com> wrote:
>>>> Hello,
>>>>
>>>> The client in question is the latest version of AquaMail running on
>>>> android.
>>>>
>>>> Thanks.
>>>> Dave.
>>>>
>>>>
>>>> On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>>>>> You should, in practice, enable both. This gives best client
>>>>> compability.
>>>>> It
>>>>> is possible you have clients that cannot understand ECC certificates?
>>>>> You
>>>>> can use ssl_alt_cert to provide RSA cert too.
>>>>>
>>>>> Aki
>>>>>
>>>>>> On 30 July 2018 at 20:05 David Mehler <dave.mehler at gmail.com> wrote:
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Thanks, good news is that worked. Bad news is it all looks good which
>>>>>> means I do not know hwhy my remote clients can't get their email,
>>>>>> looked like from the logs it was that.
>>>>>>
>>>>>> Would 143 be better or 993 for the external clients?
>>>>>>
>>>>>> Thanks.
>>>>>> Dave.
>>>>>>
>>>>>>
>>>>>> On 7/30/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>>>>>>>
>>>>>>>> On 30 July 2018 at 19:16 David Mehler <dave.mehler at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> Does dovecot 2.3.x have any issues recognizing or using
>>>>>>>> certificates
>>>>>>>> that are ECC and wildcard? I'm trying to switch my letsencrypt
>>>>>>>> implementation from acme-client which does not support either of
>>>>>>>> those
>>>>>>>> capabilities to acme.sh which does. Since then external clients
>>>>>>>> checking their email has not worked. A manual telnet to
>>>>>>>> mail.example.com 993 gives a connected message but then nothing no
>>>>>>>> greeting or capabilities.
>>>>>>>>
>>>>>>>> The certificate is for example.com with an alt name of
>>>>>>>> *.example.com
>>>>>>>> if that's not right let me know, i'm not sure about that one,
>>>>>>>> connecting to the web sites of these pages seems noticeably
>>>>>>>> slower,
>>>>>>>> I'm wondering if both of these issues aren't key related?
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>> Dave.
>>>>>>>
>>>>>>> These both should be fine.
>>>>>>>
>>>>>>> Port 993 is TLS encrypted, you should use openssl s_client -connect
>>>>>>> server:993
>>>>>>>
>>>>>>> Aki
>>>>>>>
>>>>>
>>>>
>>
More information about the dovecot
mailing list