Seems like this is a natural, and might be a frequently requested service?
Is it possible to export my cert from Firefox and import into Thunderbird?
My main concern is encrypting email in-transit, not necessarily S/MIME itself since that’s too much to ask.
Thanks for that edit, makes it a lot clearer. You can use Let’s Encrypt certificates for mail, just be sure to issue for all the SANs you’ll need and you should be good to go. I’ve got a mailserver running TLS with a Let’s Encrypt certificate right now, in fact. There’s nothing special about mail servers vs. any other type of TLS server from a technical TLS perspective.
That’s true. However, for that use case, the certificate would typically be installed on the mail server (postfix, dovecot, exim, whatever) rather than a client such as Thunderbird.
Correct, sorry, forgot to address that second question. To expand a bit, no, you cannot do this. Firefox gives you the public-key portion, but you need to configure your mail server with the public and private keys.If you’re trying to encrypt main in transit for a service you don’t manage, you’re out of luck. This needs to be put in place by the mail server operator.
(Yes, I know you’re not OP, this was a generic “you”.)
This is good news. I do have control over the postfix daemon.
So what exactly would adding x.509 mean? Encrypted by my daemon and sent on to the next SMTP server – cert checked there? Checked by each server along the way? Is the cert checked at the destination? For what? About all it could be is proper domain? I guess the message is decrypted at the destination server, but what if it’s not set up for x.509?
I’m told that LE x.509 is not trusted by most mail servers. True?
People have been asking LE for S/MIME for years; will it ever be implemented? Any recommendations where I can get free S/MIME certs?
Hmm…
San [sän] NOUN
a member of the aboriginal peoples of southern Africa commonly called Bushmen. See Bushman.
the group of Khoisan languages spoken by the San.
Storage Area Network?
If you’re not using S/MIME (or OpenPGP) then each hop is encrypted separately. So when you send an email, it’s encrypted by your client and decrypted by your mailserver. Then (if the next server supports it) it’s encrypted again by your mailserver and sent to the next one. Finally the recipient connects over TLS (hopefully) to their mailserver to download the message. There are other possibilities, but that’s a fairly typical scenario.
The certificate installed on your mailserver is used only for that first hop (or the last hop, if you’re the recipient). It’s checked by your mail client (Thunderbird). You can also configure your mailserver to ensure that it uses TLS for the next connection, and check that the next server’s cert is valid (though you might want to be selective about which servers you do this for, if you don’t want lots of undelivered mail). Beyond that, you have no control over whether it’s encrypted or not, or what certificates are used.
If you want end-to-end encrypted email your choices are pretty much S/MIME or OpenPGP.
Thank you J.
With an S/Mime cert, does this mean my encrypted message can be received at the far end by someone who has not set up S/Mime? That their email client will look up my CA (Comodo has free ones for personal use) and know how to decrypt without user intervention? (Assuming I’ve used an accepted CA like Comodo)
I believe your MUA will simply not generate any encrypted messages to people who have not themselves set up S/MIME.
Does this mean I’d necessarily have to have their S/Mime before I can encrypt with my S/Mime? This seems an impossible situation.
Also, with certbot, I’m wondering how to set multiple subdomains in the SAN, for example dangerrocket.com, www.dangerrocket.com, and mail.dangerrocket.com into one cert? I can’t find a setting in /etc/letsencrypt.
You don't encrypt with your own S/MIME certificate - you encrypt with the recipient's, and sign with your own. So yeah, they need to set something up before you can send them an encrypted message.
Use the -d option on the command line. For example:
certbot -d dangerrocket.com,www.dangerrocket.com,mail.dangerrocket.com
-d, nice.
Now, I have several websites that I need to partition from one another. IOW I don’t want all in one cert. Yet certbot seems to want to do them all together. Would it deal properly with multiple independent SSL certs?
Does it reload Apache when it’s updated the certs?
What if an update fails? Can I have it send an email?
Certbot gets one certificate per run, so if you want separate certificates, simply run Certbot separately once for each certificate. If you do include multiple names with -d in a single run, you'll get a single certificate covering all of them.
If you use --apache, it does. For other methods such as --webroot and --standalone, it doesn't do so by default, but you can ask it to with --deploy-hook.
There's nothing built into Certbot to do that, but you can try to use the exit code to script this. The certificate authority will also e-mail you at the address associated with your account if a certificate is near expiry and you haven't issued a newer certificate for exactly the same set of names.
Thanks. It looks like I’ll have to suborn CentOS’ .service file and make some modifications. systemd doesn’t have an email mechanism either, but there’s a workaround. I should also modify their .timer file to check twice a day rather than once.
I’d let the maintainer know, but that never works.
I’m getting a failure with certbot which I don’t understand. (below) I should give some background first though.
My domain has been registered with bookmyname for some years, but recently I’ve struggled with DNSSEC and found that they do not actually support it for customers. So I am now waiting for transfer to GKG, although that’s been hung up for a week now – new registrar says the old registrrar has to release, and old registrar claims it’s up to ICANN. I don’t know what to do.
Maybe this mess is the cause of the below problem? (I had to put the DOTs in because “New users can’t put in more than 20 URLs”)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01DOTapi.letsencryptDOTorg
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for quantum-equitiesDOTcom
tls-sni-01 challenge for www.quantum-equitiesDOTcom
tls-sni-01 challenge for mail.quantum-equitiesDOTcom
Select the appropriate number [1-4] then [enter] (press ‘c’ to cancel): 1
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mail.quantum-equitiesDOTcom (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested d24fd806bb7e6002a9523a39de84a25b.f72149bdd6ab45b01f39fa01a72c5ce5.acme.invalid from 199.127.58.3:443. Received 1 certificate(s), first certificate had names “ctcoupon.com, mail.ctcouponDOTcom, www.ctcouponDOTcom”, www.quantum-equitiesDOTcom (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 269eb705b1ee1b068db340330dcd4236.6ee93010d25c8dd1353e67d5328e957e.acme.invalid from 199.127.58.3:443. Received 1 certificate(s), first certificate had names “ctcouponDOTcom, mail.ctcouponDOTcom, www.ctcoupon.com”, quantum-equitiesDOTcom (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 333381970e776d916decb5188995054b.08c3de4f8ebf051ac9258d9db7b15348.acme.invalid from 199.127.58.3:443. Received 1 certificate(s), first certificate had names “ctcouponDOTcom, mail.ctcouponDOTcom, www.ctcouponDOTcom”
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: mail.quantum-equities.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
d24fd806bb7e6002a9523a39de84a25b.f72149bdd6ab45b01f39fa01a72c5ce5.acme.invalid
from 199.127.58.3:443. Received 1 certificate(s), first certificate
had names “ctcoupon.com, mail.ctcoupon.com, www.ctcoupon.com”
Domain: www.quantum-equities.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
This is most likely a problem about Certbot not being able to correctly parse your Apache configuration. Older versions of Certbot expected one virtual host per config file, so that is one potential source of the confusion; also, the fact that it couldn’t find a virtual host for mail.quantum-equities.com suggests that your virtual hosts might not be set up correctly. Would you like to post the bills-vhosts.conf file here?
Sure. To add to the mess, I am moving my domains to a local KVM virtual machine. Of course the DNS doesn’t point here due to the transfer, but also delphi-real-estate isn’t resolving right because of experiments I was running.
My TLS lines are commented out due to the chicken-or-egg problem.
And I find that the forum software seems to interpret {lessthen}{slash} as a blank line command.
<VirtualHost *>
ServerAdmin postmaster@quantum-equities.com
DocumentRoot “/srv/QE”
<Directory “/srv/QE”>
Options Indexes FollowSymLinks
AllowOverride None
# Allow open access:
Require all granted
ServerName quantum-equities.com
ServerAlias www.quantum-equities.com
#SSLEngine On
#SSLCertificateFile /etc/pki/tls/certs/quantum-equities.com.crt
#SSLCertificateKeyFile /etc/pki/tls/private/quantum-equities.com.key
#SSLCertificateChainFile /etc/pki/tls/misc/Intermediate.crt
#SSLProtocol All -SSLv2
#SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5
ErrorLog logs/QE-ssl_error_log
TransferLog logs/QE-ssl_access_log
LogLevel warn
ErrorLog "/var/log/httpd/quantum-equities-error_log"
CustomLog “/var/log/httpd/quantum-equities-access_log” common
<VirtualHost *>
ServerAdmin postmaster@quantum-sci.com
DocumentRoot “/srv/QS”
<Directory “/srv/QS”>
Options Indexes FollowSymLinks
AllowOverride None
# Allow open access:
Require all granted
ServerName quantum-sci.com
ServerAlias www.quantum-sci.com
#SSLEngine On
#SSLCertificateFile /etc/pki/tls/certs/quantum-sci.com.crt
#SSLCertificateKeyFile /etc/pki/tls/private/quantum-sci.com.key
#SSLCertificateChainFile /etc/pki/tls/misc/Intermediate.crt
#SSLProtocol All -SSLv2
#SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5
ErrorLog logs/QS-ssl_error_log
TransferLog logs/QS-ssl_access_log
LogLevel warn
ErrorLog "/var/log/httpd/quantum-sci-error_log"
CustomLog “/var/log/httpd/quantum-sci-access_log” common
<VirtualHost *>
ServerAdmin postmaster@delphi-real-estate.com
DocumentRoot “/srv/DRE”
<Directory “/srv/DRE”>
Options Indexes FollowSymLinks
AllowOverride None
# Allow open access:
Require all granted
ServerName delphi-real-estate.com
ServerAlias www.delphi-real-estate.com
#SSLEngine On
#SSLCertificateFile /etc/pki/tls/certs/delphi-real-estate.crt
#SSLCertificateKeyFile /etc/pki/tls/private/delphi-real-estate.key
#SSLCertificateChainFile /etc/pki/tls/misc/Intermediate.crt
#SSLProtocol All -SSLv2
#SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5
ErrorLog logs/DRE-ssl_error_log
TransferLog logs/DRE-ssl_access_log
LogLevel warn
ErrorLog "/var/log/httpd/delphi-real-estate-error_log"
CustomLog “/var/log/httpd/delphi-real-estate-access_log” common
@bmw, would you be willing to take a look at this to try to understand why Certbot couldn’t parse it?
@Quantum, thanks for posting the configuration file. What version of Certbot are you using?
There doesn’t seem to be a --version switch, and it doesn’t say in the script, but I installed it yesterday.
There are several blank lines in my config file above due to the forum, but if he’s a mod he can edit the file and see it all.
So I uncommented the TLS lines and now I get the following. Uh der, there is no existing cert.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apachectl configtest.
AH00526: Syntax error on line 13 of /etc/httpd/conf.d/bills-vhosts.conf:
SSLCertificateFile: file ‘/etc/pki/tls/certs/quantum-equities.com.crt’ does not exist or is empty
Certbot doesn’t know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run “certbot certonly” to do so. You’ll need to manually configure your web server to use the resulting certificate.