The purpose of a SSL/TLS certificate is so that the user of a service can be assured that it is talking directly to the service, ie there is not a man in the middle. This is needed for servers other than web, eg:
Certificates are tied to DNS names, so you first need to give a name
to the service and enter it into DNS. Try to use something meaningful,
eg: imap.phcomp.co.uk
or submit.phcomp.co.uk
You will need to add the names used to the appropriate configuration file,
eg add to SSLConfigs/phcl.conf
DNS.6 = submit.phcomp.co.ukFor others create its own family, eg
SSLConfigs/imap.conf
All of the names will have to have a web site for Let's Encrypt to validate; even if that is the only thing that the web site shows.
How you do this is application specific, a couple of examples are given below (the file locations assume a RedHat/CentOS system).
Eg for use in exim, put in /etc/exim/exim.conf
:
tls_certificate = /var/www/acme/SignedCertificates/phcl.crt tls_privatekey = /var/www/acme/RSAprivateKeys/phcl.key
Eg for dovecot, put in /etc/dovecot/conf.d/10-ssl.conf
:
ssl_key = </var/www/acme/RSAprivateKeys/imap.key ssl_cert = </var/www/acme/SignedCertificates/imap.crt
For that to work exim must be able to access the directories. To
maintain privacy these directories are mode 710 owned by the users
rsa
or acme
, and group ownership
apache
. Apache gets to read it, nothing else can.
Some daemons drop root privilege before opening the files. Thus you need to make the files accessible by its operating user (or group). To do this try one of:
setfacl -m u:exim:x RSAprivateKeys/ SignedCertificates/You may need to set a mount option to be able to use ACLs.
modify the scripts or write new ones to copy the private key & certificate files to somewhere that exim can access. Take care that nothing else can access them.
To help with this, if the file bin/RunAfterCertificateObtained
exists and is executable the program/script will be run with an
argument of the name of the certificate family.
acme
group.Do NOT make RSAprivateKeys/
and SignedCertificates/
accessible to all users.
Return to How to Configure Let's Encrypt with acme_tiny.py
Return to tutorial home.
If you want any help using the above, or have any comments or suggestions, please contact us.