OpenSMTPD and Let's Encrypt

wizzardude · October 14, 2016, 6:58pm

I’m getting ready to deploy a new webmail server, and want to be running everything over SSL.

The HTTPS part is pretty simple, but I want to be able to use the same certs with OpenSMTPD (https://www.opensmtpd.org/faq/certificates.html) so that the mail server (which will initially be on the same host) connects via TLS.

Of the four files that form the LE cert collection (cert.pem, chain.pem, fullchain.pem, privkey.pem), which correspond to “mail.example.com.key” and “mail.example.com.crt” in the OpenSMTPD example (https://www.opensmtpd.org/faq/example1.html)?

serverco · October 14, 2016, 7:35pm

The key file ( “mail.example.com.key” in the example) is privkey.pem

The certificate file ( “mail.example.com.crt” in the example ) is fullchain.pem

ahaw021 · October 16, 2016, 5:14am

Hi wizzarddue

To clear up a bit more. You want to combine the intermediate certificates and the actual certificate into one file.

Some programs let you specify an intermediate file. OpenSMTPD requires it to be in one file.

Usually I believe the certificate issued do have an intermediate certificate but it’s worthwhile checking.

KB: https://github.com/OpenSMTPD/OpenSMTPD/issues/292
Manual: https://opensmtpd.org/faq/certificates.html

Relevant section:

pki hostname certificate certfile

Associate the certificate located in certfile with
hostname.
A certificate chain may be created by appending one or many certificates,
including a Certificate Authority certificate, to certfile.
Creation of certificates is documented in
starttls(8).

serverco · October 16, 2016, 6:42am

The fullchain.pem suggested is a combination of the certificate and intermediate

system · November 15, 2016, 6:47am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.