[CentOS] Certificates

Fri Aug 31 19:38:11 UTC 2018
Leo R. Lundgren <leo at finalresort.org>

31 aug 2018 kl. 21:31 skrev Michael Schumacher <michael.schumacher at pamas.de>:

> Leo,
>>> I would like to obtain an ssl certificate, so I can run my own imap server on a machine in my office.
>>> I am assuming I'll need to pay a CA to generate what I need, but
>>> I'm confused about what I need. I am running dovecot at teh moment,
>>> but my clients (iphone, windows laptops) say my ssl connection is
>>> not trusted. The phone just won't connect.
>> Nope, you don't have to pay for a certificate at one of the
>> traditional CAs, you can use Let's Encrypt to have free but fully
>> valid certificates for your server.
>> See https://letsencrypt.org/ for more information. I can recommend
>> https://github.com/xenolf/lego for use on your server, but there are
>> many different LE clients out there.
> certbot works only with ports 80 or 443? Can lego work with with IMAP
> ports like 143 or 993? The documentation is not very clear.

I haven't used certbot, only lego, but that's not a problem.

If you use leo you will have it manage the request for new and renewal of existing certificates. It does this using challenges over HTTP or DNS. I am guessing this is where your understanding that it only works with port 80 and 443 comes from - it uses either of those ports to communicate with Let's Encrypt's systems when using the HTTP challenge.

However, this is separate from your IMAP server. Which ports your IMAP server use has nothing to do with lego or the LE certificate stuff. As long as something, e.g. lego, successfully manages to get valid certs onto your server, your IMAP server should be able to use those certificates (that is, a private key file and a public key file). Your IMAP server can use those files and may then respond to requests for IMAP over SSL/TLS on e.g. port 993. Port 143 is for unencrypted IMAP, so in that case certificates are not relevant at all.

Consider trying leo out with the staging parameter enabled (see the documentation for it right there on the GitHub page), that way you can experiment with it and see what it produces and how it works. Then you can configure your IMAP server to use those certificate files.

Regards, Leo