Monday, September 17, 2018
LetsEncrypt
This weekend, I decided to try the EFF’s LetsEncrypt certificates. It was easy for Apache, not as well worked out for Postfix/Dovecot.
My self signed certificates on a couple of my Linux boxes have been torturing me when using Apple Mail. Apple is doing the right thing trying to warn you about self signed certificates.
I tried to go straight to the EFF email solution STARTTLS. After fumbling around with that for many hours, I decided I would get Apache working and then tackle Postfix/Dovecot. I don’t really want Apache on these boxes nor do I want them exposed directly to the internet, but it seemed like a good way to start understanding LetsEncrypt.
I cleared out all the Apache stuff that I had played with previously on a Debian system, reinstalled Apache2, and used these instructions to get the LetsEncrypt certificate installed:
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04
I looked at a number of different pages about LetsEncrypt and this set of instructions seemed straight forward.
I poked a hole in my firewall for apache, which was necessary for LetsEncrypt and setup a public DNS entry for that Debian box.
The Apache certificates installed painlessly.
Next I tackled the Postfix/Dovecot certificates. I ended up using this set of instructions:
https://www.upcloud.com/support/secure-postfix-using-lets-encrypt/
This took more fumbling around but it works and now my Apple mail is happy with reading mail from my main Debian box.
I decided to leave the Debian box with the default web page up overnight in case I discovered something that would require re-doing the certificates. Oh wow! The internet is a dangerous place. I thought nobody would notice my Debian box. The logs this morning were just full of random IP addresses trying all sorts of non-existant URLs, most ending in “.php”. I was glad I had cleared out all my old experiments and reinstalled Apache. I had what I wanted, so I turned off all external access again.
For Apache, LetsEncrypt is easy. I’m am going to play more with STARTTLS and see if I can find a way to make easy to do. Maybe I’m just misunderstanding something.
Subscribe to:
Posts (Atom)