run bash script after cert renwal

no it displays ">"

1 Like

if i try with no "" i get

bash-3.2# /Users/localuser/ --install-cert -d -d --key-file /usr/local/kerio/mailserver/sslcert/server.key --fullchain-file /usr/local/kerio/mailserver/sslcert/server.crt --reloadcmd /usr/local/kerio/mailserver/keriomailserver restart

[Wed 12 Jan 2022 15:49:33 AEDT] Unknown parameter : restart

1 Like

ok it finally worked and actually ran the whole thing including restating the live server by only " " the relaoad-cmd so the exact command below for OSX system :

/Users/localuser/ --install-cert -d -d --key-file /usr/local/kerio/mailserver/sslcert/server.key --fullchain-file /usr/local/kerio/mailserver/sslcert/server.crt --reloadcmd "/usr/local/kerio/mailserver/keriomailserver restart"

Thankyou AZ !


Does that mean the cron i just added now will restart the service every day ? If the server had no cron job in the first place ?

1 Like

The cronjob will run every day, yes, but it won't do anything unless a certificate is due to be renewed.

1 Like

if there is only one cron job and that is the above how can i ensure the certs will be renewed ?
is there a command to check the renewal process is set and functional ?

1 Like

There's one main cronjob which install itself:

# crontab -l
7 0 * * * "/root/"/ --cron --home "/root/" > /dev/null

That cronjob will call the --install-cert for you, at the appropriate time.

I'm not sure, I don't think has a dry-run sort of command. You might try setting a calendar reminder 1 week prior to the expiry of your certificate, and check that your mailserver is using the new certificate at that point.

1 Like

Cheers AZ, after getting the reaload process set right i made a cron for each but there wasnt an existing cronjob :frowning:


Sorry to resurect this like a ZOMBIE from the dead but im still unclear on the process here
my files are in NON root homes (this is what the developer states is GOOD about
so my keys live in as an example "/Users/localuser/" my command i need to run to reboot the server has to be done via ROOT as a standard user doesnt have elevation and SUDO would require human interaction, my cron job is in ROOT and I can only run the job tuesday to friday as backups occur that cannot have the service restart and disrupt them. Is it correct that IF the "localuser" runs a command ONCE that acme remembers this for its ROOT CRON renewal ? Here also is an example of the crontab in root that i edited to ensure the cert doesnt change during time when the server is backing up
10 5 * * 1-5 "/Users/localuser/"/ --cron --home "/Users/localuser/" > /dev/null
Or does the ROOT cron job have to have the parameters set for the restarting of the server.

Please better explain the difference between "service restart" and "server restart", why they are being used, and what the desired goal is.

As I see it, the main purpose if the cron job is to renew the cert (by default).
Any job triggered can be attached with a service restart (in various ways).
And even a server restart [but I can't understand why that would ever be necessary].

1 Like

Hi Rg Thankyou for replying, the service is an SMTP "server" the "server" wont recognise the renewed certificate unless the service (not the whole hardware) is restarted, to add to the mix the service requires the keys and cert to be renamed which you can see in the example. The command I have cobbled together is : /Users/localuser/ --install-cert -d -d --key-file /usr/local/kerio/mailserver/sslcert/server.key --fullchain-file /usr/local/kerio/mailserver/sslcert/server.crt --reloadcmd "/usr/local/kerio/mailserver/keriomailserver restart"
This works when run manually and the last cert was created using it. I just have not seen the cert change since the last manual run, the current cert is due to expire 25th March. My worry is a) ive altered a cron job incorrectly and b) it wont run as its a mix of root and localuser permissions.

I think you could break the large single cron into two (or more) distinct steps.


  • renew cert
    [check twice daily]

  • restart kerio
    [restart (or, if possible, reload) it as often as you like - say... once a week, during off hours]

In doing so, Kerio will always have the latest cert.
And should anything go "wrong", you will be better suited to address the problem directly.

Check list:

  • did the cert renew?
  • did the latest cert files get placed into the correct location?
  • did Kerio restart (on schedule)?

Thanks @rg305, im stumped as to how the below

Users/localuser/ --install-cert -d -d --key-file /usr/local/kerio/mailserver/sslcert/server.key --fullchain-file /usr/local/kerio/mailserver/sslcert/server.crt --reloadcmd "/usr/local/kerio/mailserver/keriomailserver restart"

runs without being an actual visual cron command.
I have only one crontab in root nothing in the standard user where the cert resides, is it some magical juice that acme caches ? My whole setup relies on acme doing some voodoo i cannot test :frowning: then the root crontab does its thing

1 Like

The command shown is far from what would be expected to be found in cron.

If that is related, please show it.

It may seem like it, but it is far from that.
[ACME <> voodoo]


One -d only, in that context it refers to the certificate name. (The first column in --list)

bash-3.2# crontab -l

10 5 * * 1-5 "/Users/localuser/"/ --cron --home "/Users/localuser/" > /dev/null

Thankyou that command shows that its renewal date as below Wed Jan 12 18:10:44 UTC 2022 Sun Mar 13 18:10:44 UTC 2022

The cron "looks" normal.
But it won't actually try to renew until Mar 13 2022 [as shown by --list]
Since the 13th will be a Sunday, it might be until the 14th before you can see if it works.

1 Like

I made the edit to 1-5 to ensure that if it DOES update it wont cause the server to potentially reboot during a live backup, hopefully that isnt too restrictive ?

I don't see how can cause the server to reboot.
If that is happening, then you do have a serious problem.
Unless, this is somehow triggering it:

1 Like