Parliament Hill Computers LtdParliament Hill Computers Ltd

Using Let's Encrypt certificates in a non web environment

What sort of non-web environment ?

The purpose of a SSL/TLS certificate is so that the user of a service can be assured that it is talking directly to the service, ie there is not a man in the middle. This is needed for servers other than web, eg:

Generating the certificate

Certificates are tied to DNS names, so you first need to give a name to the service and enter it into DNS. Try to use something meaningful, eg: or

You will need to add the names used to the appropriate configuration file, eg add to SSLConfigs/phcl.conf

    DNS.6 =
For others create its own family, eg SSLConfigs/imap.conf

All of the names will have to have a web site for Let's Encrypt to validate; even if that is the only thing that the web site shows.

Using the certificate

How you do this is application specific, a couple of examples are given below (the file locations assume a RedHat/CentOS system).

Many applications will need the chained certificate.

Eg for use in exim, put in /etc/exim/exim.conf:

    tls_certificate = /var/www/acme/SignedCertificates/phcl-chained.crt
    tls_privatekey = /var/www/acme/RSAprivateKeys/phcl.key

Eg for dovecot, put in /etc/dovecot/conf.d/10-ssl.conf:

    ssl_key = </var/www/acme/RSAprivateKeys/imap.key
    ssl_cert = </var/www/acme/SignedCertificates/imap-chained.crt

File permissions

For that to work exim must be able to access the directories. To maintain privacy these directories are mode 710 owned by the users rsa or acme, and group ownership apache. Apache gets to read it, nothing else can.

Some daemons drop root privilege before opening the files. Thus you need to make the files accessible by its operating user (or group). To do this try one of:

Do NOT make RSAprivateKeys/ and SignedCertificates/ accessible to all users.

Return to How to Configure Let's Encrypt with

Return to tutorial home.

If you want any help using the above, or have any comments or suggestions, please contact us.