View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Let's Encrypt, free certificate how to.
Log in to Ask a Question

Let's Encrypt, free certificate how to.

development

Hi all,

I am trying to delete my self signed certificate and using the one generated by let's encrypt.

I am following this guide:

https://www.linode.com/docs/security/ss … rtificates">https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates

and I have successfully generated the four pem files:

1 cert.pem

2 chain.pem

3 fullchain.pem

4 privkey.pem

in my postfix main.cf file I need to specify three files:

smtpdtlskey_file = /etc/pki/tls/private/mail.mydomain.org.key

smtpdtlscert_file = /etc/pki/tls/certs/mail.mydomain.org.cert

smtpdtlsCAfile = /etc/pki/tls/root.crt

how can I map the files that postfix want to the one generated by let's encrypt?

is privkey.pem the smtpdtlskey_file ?

is cert.pem the smtpdtlscert_file ?

if yes, what is the smtpdtlsCAfile ???

2 Replies

A key piece of information, missing from most guides, is that the fullchain file is actually a combination of the cert+chain files. Essentially, you ignore cert and chain and use fullchain only.

so you end up with something like:

smtpdtlscert_file = fullchain.pem

smtpdtlskey_file = privkey.pem

you do the same thing for other daemons, like haproxy. Apache is a slightly different story, because it can do both, you can either give it the fullchain, or separate cert and chain files.

PS:

I strongly encourage you to avoid the official client, which is horribly bloated and on small hosting servers it consumes too many resources to do a simple job. One of the best alternatives is the Dehydrated client, which is a pure bash script: https://github.com/lukas2511/dehydrated

@IfThenElse:

A key piece of information, missing from most guides, is that the fullchain file is actually a combination of the cert+chain files. Essentially, you ignore cert and chain and use fullchain only.

so you end up with something like:

smtpdtlscert_file = fullchain.pem

smtpdtlskey_file = privkey.pem

you do the same thing for other daemons, like haproxy. Apache is a slightly different story, because it can do both, you can either give it the fullchain, or separate cert and chain files.

PS:

I strongly encourage you to avoid the official client, which is horribly bloated and on small hosting servers it consumes too many resources to do a simple job. One of the best alternatives is the Dehydrated client, which is a pure bash script: https://github.com/lukas2511/dehydrated

I ended up this way:

smtpdtlskey_file = /etc/letsencrypt/live/mydomain.org/privkey.pem

smtpdtlscert_file = /etc/letsencrypt/live/mydomain.org/cert.pem

smtpdtlsCAfile = /etc/letsencrypt/live/mydomain.org/fullchain.pem

and it works now, thanks.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct