Using Let's Encrypt certificates in a non web environment

What sort of non-web environment ?

The purpose of a SSL/TLS certificate is so that the user of a service can be assured that it is talking directly to the service, ie there is not a man in the middle. This is needed for servers other than web, eg:

• Email:
  • Mail eXchangers — transfer of email between SMTP servers
  • Mail clients that download email from IMAP or POP servers
  • Mail clients that want to securely submit mail to a SMTP server
• Database: clients want to be sure of directly connecting to the server
• Operating system configuration: commands only from the authorised server
• Secure business systems

Generating the certificate

Certificates are tied to DNS names, so you first need to give a name to the service and enter it into DNS. Try to use something meaningful, eg: imap.phcomp.co.uk or submit.phcomp.co.uk

You will need to add the names used to the appropriate configuration file, eg add to SSLConfigs/phcl.conf

    DNS.6 = submit.phcomp.co.uk

For others create its own family, eg SSLConfigs/imap.conf

All of the names will have to have a web site for Let's Encrypt to validate; even if that is the only thing that the web site shows.

Using the certificate

How you do this is application specific, a couple of examples are given below (the file locations assume a RedHat/CentOS system).

Many applications will need the chained certificate.

Eg for use in exim, put in /etc/exim/exim.conf:

    tls_certificate = /var/www/acme/SignedCertificates/phcl-chained.crt
    tls_privatekey = /var/www/acme/RSAprivateKeys/phcl.key

Eg for dovecot, put in /etc/dovecot/conf.d/10-ssl.conf:

    ssl_key = </var/www/acme/RSAprivateKeys/imap.key
    ssl_cert = </var/www/acme/SignedCertificates/imap-chained.crt

File permissions

For that to work exim must be able to access the directories. To maintain privacy these directories are mode 710 owned by the users rsa or acme, and group ownership apache. Apache gets to read it, nothing else can.

Some daemons drop root privilege before opening the files. Thus you need to make the files accessible by its operating user (or group). To do this try one of:

• use POSIX ACLs to allow exim access to the directories:

      setfacl -m u:exim:x RSAprivateKeys/ SignedCertificates/

  You may need to set a mount option to be able to use ACLs.

• modify the scripts or write new ones to copy the private key & certificate files to somewhere that exim can access. Take care that nothing else can access them.

  To help with this, if the file bin/RunAfterCertificateObtained exists and is executable the program/script will be run with an argument of the name of the certificate family.

• add the daemon user to the group apache. The bad thing about this is that it will also be able to see anything that apache can - you might not want this.
  A variation is to create an acme group.

Do NOT make RSAprivateKeys/ and SignedCertificates/ accessible to all users.

Return to How to Configure Let's Encrypt with acme_tiny.py