Website · encryption letsencrypt ssl · 2021-10-18 · Daniel

I have been needing to cut over to acme v2 for a long time, and I didn't bother doing it until way too late -- this weekend. As a result of my tardiness, my iPhone has not been able to receive email from my mail server for more than a month now.

My current mail server runs dovecot + postfix (plus some other stuff), manually installed on FreeBSD, and I have been trying to get Docker Mailserver working on a new Ubuntu server and have been having nothing but trouble with that, so I finally gave up. On the new setup I will still install everything with Ansible, it just won't be Dockerized, and I'm okay with this.

Tonight I decided that in the interim I needed to at least fix the SSL certificates. While doing this, I ran into a problem that I cannot believe is not called out anywhere, so I'm writing about it. To be fair, this is documented here, but no howto I found mentions it.

Let's Encrypt's client page lists acme.sh, but does not bother to mention that one must pass in the --server parameter in order to use the Let's Encrypt CA with acme.sh. One must do this because the default CA for acme.sh is ZeroSSL.

In fact, none of the dozen or so howtos I read made any mention of this! And, since I had never heard of ZeroSSL until tonight, I had no idea that it was a competitor to Let's Encrypt.

In order to create the Let's Encrypt certificate for my mail server (mail.unixdude.net), I set the DO_API_KEY environment variable, then ran:

acme.sh --issue -d mail.unixdude.net --dns dns_dgon --server letsencrypt

The magic there, for the Let's Encrypt user, is the --server letsencrypt parameter -- because as I mentioned the default is ZeroSSL. If you try it without specifying the server, parts of this work and other parts of this do not work, and the problem is not obvious, or at least it was not obvious to me.

In any case, I now have new certs running, and have a fully functioning system again -- which gives me time to cut over to a new server.

I hope this post helps others who are running into the same issue I was hitting.