Generating a LetsEncrypt cert for Dovecot


I have web hosting with with a provider and use their DNS service. But I don’t use their IMAP server – I host my own at home. Email clients like Thunderbird are averse to self-signed certs. So I generate a LetsEncrypt signed cert for my Dovecot IMAP server.

On my home machine:

  • install the certbot utility (FreeBSD port : py37-certbot)
  • run certbot:
certbot certonly --manual --preferred-challenges=dns --agree-tos --email=<my email address> -d <imap host name>
  • confirm that I’m OK with my IP being logged

On the provider’s control panel web site:

  • Add a DNS TXT record with the name and value generated by certbot
  • Wait a few minutes for the DNS record to be served

Back on my home machine:

  • Press Enter at the certbot prompt
  • Wait for certbot to clean up and show the names of the files containing the cert
  • Edit the Dovecot config file to point the ssl_cert and ssl_key lines to the files generated by certbot. Note that the first less-than sign on each line is part of the config. E.g.
ssl_cert = < <generated fullchain.pem file name>
ssl_key = < <generated privkey.pem file name>
  • Restart Dovecot

When I need to renew the cert in a couple of months time, I can just do:

certbot renew

, , , , , ,

  1. No comments yet.

You must be logged in to post a comment.