Letsencrypt *never* generates keys for you.
He talked about the lezsencrypt client he uses, which generates a key locally,
submits a CSR to letsencrypt and provides 2 files (the generated key and the
obtained certificate) afterwards.
Am 2. Oktober 2019 04:25:44 MESZ schrieb Olivier :
>Viktor Du
Viktor Dukhovni writes:
>> On Oct 1, 2019, at 12:39 PM, linkcheck wrote:
>>
>> Letsencrypt supplies 2 files. I don't think it combines them inso a single
>> one, though I may be wrong. I know it's possible to combine them on the
>> server but the auto-update of the cert then becomes complicated
On 10/1/19 1:34 PM, Viktor Dukhovni wrote:
> Not similar, because unlike "ejabberd" which probably reads
> the cert and key only on startup, Postfix starts new smtpd(8)
> and smtp(8) processes as needed, and these reload the cert
> at unpredictable times.
>
> Postfix does not need a "reload" to ge
> On Oct 1, 2019, at 1:27 PM, Phil Stracchino wrote:
>
> Here's now I fix that for ejabberd, which REQUIRES a single file:
>
> 30 6,18 * * * [[
> /etc/letsencrypt/live/www.caerllewys.net/privkey.pem -nt
> /etc/jabber/server.pem ]] && cat
> /etc/letsencrypt/live/www.caerllewys.net/privk
On 10/1/19 1:18 PM, Viktor Dukhovni wrote:
> Most users are very unlikely to see the race condition play out,
> on their system but it probably happens to *someone* now and then,
> (law of large numbers and all that...).
Aah, good point.
Here's now I fix that for ejabberd, which REQUIRES a si
On 10/1/19 12:39 PM, linkcheck wrote:
> Viktor Dukhovni wrote
>> With Postfix 3.x the default value of the key file
>> parameter is the cert file, and the same file can hold both the
>> cert and the key.
>
> Letsencrypt supplies 2 files. I don't think it combines them inso a single
> one, though I
> On Oct 1, 2019, at 12:39 PM, linkcheck wrote:
>
> Letsencrypt supplies 2 files. I don't think it combines them inso a single
> one, though I may be wrong. I know it's possible to combine them on the
> server but the auto-update of the cert then becomes complicated.
That's mostly OK. You can u
Viktor Dukhovni wrote
> With Postfix 3.x the default value of the key file
> parameter is the cert file, and the same file can hold both the
> cert and the key.
Letsencrypt supplies 2 files. I don't think it combines them inso a single
one, though I may be wrong. I know it's possible to combine th
On Tue, Oct 01, 2019 at 05:59:19PM +0200, Matus UHLAR - fantomas wrote:
> >> In Postfix 3.4
>
> On 01.10.19 06:13, linkcheck wrote:
> >Thanks, but I'm on 3.1.1 due to Ubuntu/Mint version.
>
> then, you need separate key and cert file.
Actually, no. With Postfix 3.x the default value of the key
In Postfix 3.4
On 01.10.19 06:13, linkcheck wrote:
Thanks, but I'm on 3.1.1 due to Ubuntu/Mint version.
then, you need separate key and cert file.
smtpd_tls* is for receiving connections.
smtp_tls* is for outgoing connections.
You're specifying the same certificate thus makings it redundant
> On Oct 1, 2019, at 9:43 AM, linkcheck wrote:
>
> I assume that does not apply to the files in main.cf.
Why assume anything, Postfix comes with documentation,
and there is also a decent book by No Starch Press,
which though dated on some bleeding edge new features,
covers all the basics. The O
Viktor Dukhovni wrote
>> On Oct 1, 2019, at 9:21 AM, linkcheck <
> postfix@.co
> > wrote:
>
> See http://www.postfix.org/master.5.html (or man -s 5 master).
>
> Since the "-o" options are *overrides*, if an option has the
> right value in main.cf, there is no need for an override.
Thanks, Vict
Viktor Dukhovni wrote
> On Mon, Sep 30, 2019 at 06:53:38AM -0700, linkcheck wrote:
>
>> I have the following for smtp and submission...
>>
>> smtp inet n - n - - smtpd
>> [...]
>> -o smtpd_tls_cert_file=/etc/letsencrypt/live/(name).pem
>> -o smtpd_tls_ke
> On Oct 1, 2019, at 9:21 AM, linkcheck wrote:
>
> Most of the installation info I have read online gives something similar to
> my original posting for master.cf. I can understand removing the smtp_cert
> lines from the smtp section (hence the question) but was not aware I did not
> need any cer
@lbutlr wrote
> On Sep 30, 2019, at 7:53 AM, linkcheck <
> postfix@.co
> > wrote:
>> I have the following for smtp and submission…
>
> Seems like a lot.
>
> This is all I have, in main.cf:
>
> smtpd_tls_cert_file =
> /usr/local/etc/dehydrated/certs/covisp.net/fullchain.pem
> smtpd_tls_key_file
> In Postfix 3.4
Thanks, but I'm on 3.1.1 due to Ubuntu/Mint version.
> smtpd_tls* is for receiving connections.
> smtp_tls* is for outgoing connections.
> You're specifying the same certificate thus makings it redundant.
> You may shorten it to just two lines in your main.cf:
Thanks. Is that ju
On Mon, Sep 30, 2019 at 06:53:38AM -0700, linkcheck wrote:
> I have the following for smtp and submission...
>
> smtp inet n - n - - smtpd
> [...]
> -o smtpd_tls_cert_file=/etc/letsencrypt/live/(name).pem
> -o smtpd_tls_key_file=/etc/letsencrypt/live/(na
smtp inet n - n - - smtpd
-o smtpd_tls_cert_file=/etc/letsencrypt/live/(name).pem
-o smtpd_tls_key_file=/etc/letsencrypt/live/(name).pem
-o smtp_tls_cert_file=/etc/letsencrypt/live/(name).pem
-o smtp_tls_key_file=/etc/letsencrypt/live/(name).pem
submission
On Sep 30, 2019, at 7:53 AM, linkcheck wrote:
> I have the following for smtp and submission…
Seems like a lot.
This is all I have, in main.cf:
smtpd_tls_cert_file = /usr/local/etc/dehydrated/certs/covisp.net/fullchain.pem
smtpd_tls_key_file = /usr/local/etc/dehydrated/certs/covisp.net/privkey.
I have been running postfix for several years. The latest certificate has
almost run out so I switched to letsencrypt. Whilst installing the
certificate and key in master.cf it occurred to me to wonder if I wasn't
over-specifying their use. I have checked around the web and found nothing
like my se
20 matches
Mail list logo
