LetsEncrypt

This weekend, I decided to try the EFF’s LetsEncrypt certificates. It was easy for Apache, not as well worked out for Postfix/Dovecot.

My self signed certificates on a couple of my Linux boxes have been torturing me when using Apple Mail. Apple is doing the right thing trying to warn you about self signed certificates.

I tried to go straight to the EFF email solution STARTTLS. After fumbling around with that for many hours, I decided I would get Apache working and then tackle Postfix/Dovecot. I don’t really want Apache on these boxes nor do I want them exposed directly to the internet, but it seemed like a good way to start understanding LetsEncrypt.

I cleared out all the Apache stuff that I had played with previously on a Debian system, reinstalled Apache2, and used these instructions to get the LetsEncrypt certificate installed:

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

I looked at a number of different pages about LetsEncrypt and this set of instructions seemed straight forward.

I poked a hole in my firewall for apache, which was necessary for LetsEncrypt and setup a public DNS entry for that Debian box.

The Apache certificates installed painlessly.

Next I tackled the Postfix/Dovecot certificates. I ended up using this set of instructions:

https://www.upcloud.com/support/secure-postfix-using-lets-encrypt/

This took more fumbling around but it works and now my Apple mail is happy with reading mail from my main Debian box.

I decided to leave the Debian box with the default web page up overnight in case I discovered something that would require re-doing the certificates.  Oh wow! The internet is a dangerous place. I thought nobody would notice my Debian box. The logs this morning were just full of random IP addresses trying all sorts of non-existant URLs, most ending in “.php”. I was glad I had cleared out all my old experiments and reinstalled Apache. I had what I wanted, so I turned off all external access again.

For Apache, LetsEncrypt is easy. I’m am going to play more with STARTTLS and see if I can find a way to make easy to do. Maybe I’m just misunderstanding something.