The purpose of a SSL/TLS certificate is so that the user of a service can be assured that it is talking directly to the service, ie there is not a man in the middle. This is needed for servers other than web, eg:
Certificates are tied to DNS names, so you first need to give a name
to the service and enter it into DNS. Try to use something meaningful,
You will need to add the names used to the appropriate configuration file,
eg add to
DNS.6 = submit.phcomp.co.ukFor others create its own family, eg
All of the names will have to have a web site for Let's Encrypt to validate; even if that is the only thing that the web site shows.
How you do this is application specific, a couple of examples are given below (the file locations assume a RedHat/CentOS system).
Many applications will need the chained certificate.
Eg for use in exim, put in
tls_certificate = /var/www/acme/SignedCertificates/phcl-chained.crt tls_privatekey = /var/www/acme/RSAprivateKeys/phcl.key
Eg for dovecot, put in
ssl_key = </var/www/acme/RSAprivateKeys/imap.key ssl_cert = </var/www/acme/SignedCertificates/imap-chained.crt
For that to work exim must be able to access the directories. To
maintain privacy these directories are mode 710 owned by the users
acme, and group ownership
apache. Apache gets to read it, nothing else can.
Some daemons drop root privilege before opening the files. Thus you need to make the files accessible by its operating user (or group). To do this try one of:
setfacl -m u:exim:x RSAprivateKeys/ SignedCertificates/You may need to set a mount option to be able to use ACLs.
modify the scripts or write new ones to copy the private key & certificate files to somewhere that exim can access. Take care that nothing else can access them.
To help with this, if the file
exists and is executable the program/script will be run with an
argument of the name of the certificate family.
Do NOT make
SignedCertificates/ accessible to all users.