Submitted by stretch on Thu, 12/01/2016 - 21:58
There's a regression after a https://www.virtualmin.com/node/43460 issue fix, browsers are now ok, but mail clients, for example Evolution on linux don't recognize the Let's Encrypt authority now.
Can you make scripts generate a separate certificate with X1 Let's Encrypt authority for postfix/dovecot?
Status:
Active
Comments
Submitted by JamieCameron on Thu, 12/01/2016 - 22:56 Comment #1
That's crazy! Let's Encrypt has declared that the X3 CA is the official cert now, so it seems like a bug in the mail client if only the X1 cert is recognized.
Submitted by stretch on Sun, 12/04/2016 - 07:20 Comment #2
Browsers are bundled with trusted CA certs, and mail clients use system CA certs, so there maybe a lag while all systems get updates and some of them, such as old android versions won't them ever.
Submitted by JamieCameron on Sun, 12/04/2016 - 12:07 Comment #3
I'm not sure if this is fixable in a way that satisfies all clients. The best option is for Virtualmin to use the X3 cert, and wait for clients to catch up.
Submitted by stretch on Fri, 12/09/2016 - 05:43 Comment #4
Maybe make a separate legacy certificate file with both X1 and X3 for dovecot?
Submitted by JamieCameron on Sat, 12/10/2016 - 19:38 Comment #5
Right, but wouldn't that cause new mail clients that only accept the X3 CA to break?