Using and Selecting LetsEncrypt Clients


#1

Hi,
I wanted to use the web gui on https://certbot.eff.org to create a wildcard certificate to use with nginx postfix and dovecot. However I am confused why the wizard asked which software I would us ethe cert for. I’ve always used the same cert for all programmes and never had to customise for any.
Could somebody tell me which option I should take to create a cert for postfix/dovecot/nginx.

many thanks, Sophie


#2

The wizard at https://certbot.eff.org/ isn’t a web GUI exactly: it provides instructions on how to obtain a certificate using the Certbot software, which you download and install on your server (or, less commonly, on your local PC). It asks what software you’re using so that it can customize the instructions it provides for obtaining and installing the certificate, and setting up automated renewal. Once you have a certificate, you can of course use it for nginx, postfix, dovecot, and anything else that supports it.

Let’s Encrypt doesn’t provide wildcard certificates; however, you can get a single certificate covering up to 100 (sub)domains (also sometimes known as a SAN or UCC certificate), and as many more additional certificates as you need - subject to the rate limits.

I’d suggest trying the nginx instructions first. If you use the --webroot method, nginx will need to be able to respond to requests on port 80 for the domains you use for postfix and dovecot as well. If that’s not possible for some reason, you might have more luck with --standalone.

Whatever method you use, Certbot will create a set of symbolic links in /etc/letsencrypt/live/yourdomainname.com/ pointing to the latest versions of the certificate, private key and intermediate/chain certificate. Assuming you have all three services on the same server, you can then point their configuration at these symbolic links, so that they will always use the latest version of the certificate. Then when you renew the certificate, all you have to do is reload all three services and they should pick up the renewed certificate (and you can automate this too, using Certbot’s --post-hook option).

If you actually just wanted a web GUI, the one at https://zerossl.com/ seems popular. It can’t support automated renewals however, so you would have to repeat the process manually at least every three months to avoid expired certificates.


#3

Thanks for your explanation. I don’t have nginx nor postfix set up. I am installing a new server so I guess none is relevant.

Can I just create my own csr request upload to a server and download a crt?

Sophie


#4

If you really want to, yes, you can do that at e.g. https://gethttpsforfree.com/

However, Let’s Encrypt certificates expire after 90 days, so you’ll have to repeat this process at least every 90 days. Certbot helps you to automate the process of obtaining certificates, both initially and for renewals, so that once you’ve got it working you shouldn’t have to worry about it again.

If you do decide to use Certbot, I’d still recommend setting up at least nginx first, so that once you’ve got everything working you can just let it remember the settings you used when it comes time to renew.


#5

Oh I had no idea they expired every 90 days. I have certs from GoDaddy and Comodo that will last for 2 years so I shall carry on using those. Thanks for this info.
Sophie


#6

Yes, you can use your own CSR at https://ZeroSSL.com or you can generate it right there in your browser if you like. However, keep in mind that getting a certificate will require a proof of ownership of your domain. Most popular choices would be HTTP verification by creating a file on the server or DNS verification by creating a record in DNS. The latter method does not require any server to be running or having any IP or anything - you just need to be able to create a TXT record in your DNS.

As it has been also mentioned above, the lifetime of LE certificate is 90 days, so you need to renew periodically. It is highly recommended to do it automatically rather than manually - there are many clients you can choose from listed at https://letsencrypt.org/docs/client-options/


#7

Although I understand the practical use of such a cert, it is perfectly possible to set up Let’s Encrypt certificates with a fully automated system (renewing the certs, reloading the daemons using them et cetera). Although the single certificates are just 90 days valid, such an automated system should not require any user input once it is set up properly. So in effect, Let’s Encrypt itself would be, by design, valid for life :wink:

Especially if your setup isn’t very fancy but quite basic, it’s really a breeze to install Let’s Encrypt certificates with the use of the recommended client certbot.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.