one additional note for anyone else searching the discord: letsencrypt (Actually Certbot but you know) makes the /etc/letsencrypt/live directory owned by root and only accessible by owner
I would recommend something like this (though have seen other people blow their permissions away… which could work)
chmod g+rx /etc/letsencrypt/live```technically using ACLs is more correct, and it will depend on what else you’re doing on the server. this is not legal nor financhial advice, odds of winning are 1 in 2 trillion
Fantastic. sounds like you are making progress. I switched to LetsEncrypt when one of the injectors I was testing woudl not work with my self-signed cert. it still complained, but did not fail.
this injector is still failing 
but that’s on them at this point
Certbot changes the permission to root and accessible by owner-only when it renews the certificate, it’s better to do that chmod/chgrp in a cronjob as with certbot --renew --post-hook or --deploy-hook. I have a cronjob doing a renew once a week and copying the certificate in post-hook to somewhere accessible by kumo in /opt/kumomta/etc
Something like this in the
0 0 * * 6 certbot renew --post-hook 'cat /etc/letsencrypt/live/my.domain.com/privkey.pem > /opt/kumomta/etc/ssl/private/key.pem; cat /etc/letsencrypt/live/my.domain.com/fullchain.pem > /opt/kumomta/etc/ssl/certs/fullchain.crt'
that’s helpful, thank you
right now I found out there’s an issue on the other end’s side that I need to overcome, but then I should make sure that the cert is accessible to Kumo
hmm
question: the fullchain.crt is that referenced somewhere in Kumo’s config?
(since I missed the whole .pem bit of the config before, I figured I should check)
No. We do not have a reference for the chain cert
But… there are ways you can append them all together. Have not done that in a while so I’d need to look it up
I don’t think that’s where the issue here lies. I’m waiting on the other end, but it looks like their MailKit integration doesn’t like LetsEncrypt
which is, suprising to me. I don’t fully remember how CA’s work right now, but it should work…
CONNECTED(00000003)
808B909A897F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---```
does this maybe mean that Kumo isn't returning my SSL cert?no, it doesn’t. nevermind 
hmm. somthing is weird though.
openssl s_client -starttls smtp -crlf -connect localhost:25 is what I tend to use to inspect certs