Let's Encrypt script and DANE/TLSA?
-
Testing out MDaemon and found this option to let MDaemon retreive Let's Encrypt certificates. The question is if the script supports re-using the private key, so the DNS server entries for DANE/TLSA does not have to be updated each time the certificate is updated?
-
Arron Staff
The script does not currently support re-using public keys. There are other options available for using LetsEncrypt that might work better if you are implementing TLSA.
https://mytechiethoughts.com/linux/implementing-dane-with-certbot-using-lets-encrypt/
-
@Arron I'm sorry to see that the built-in script does not support these security features. That's a bit of a surprise, considering the benefits of DANE/TLSA. Are there any plans to update the script?
I can use other methods to obtain the certificate, but they will not be able to set e.g. default certificate and perhaps other vital stuff which the built-in script does.
-
Arron Staff
Last time I checked, the components we are using to interact with LetsEncrypt were not supporting it, which means we cannot support it. I'll check again when I have some time.
If you want, you can write a script to update MDaemon and webmail when a third party retrieves the certificate for you.
-
I've just stumbled upon https://certifytheweb.com/, which is pretty user friendly. Where do I find information on what to do in MDaemon (e.g. set default certificate etc.)?
-
Tyler Staff
@Rune
CertifytheWeb is indeed easy to use. Add your desired hostnames in the Certificate Domains section. In the Authorization seciton, point the Website Root Directory to the \MDaemon\WorldClient\HTML\ directory path and select http-01 for the challange type if not already selected. Verify that port 80 is open and the hostnames added resolve to the Webmail login screen and run it.
You'll manually need to select and apply the certificate for use in MDaemon, Webmail, and/or Remote Administration if you use this method. MDaemon's LE script will apply them for you automatically.