Certbot, Dovecot, Postfix, certificate renewal issue automatic crontab certbot

Mazufa · April 3, 2020, 12:30pm

Hello!

I have my own email server where I use Let`s Encrypt SSL certificates. I have Debian, Nginx Postfix and Dovecot.

I have a problem like this that I haven’t been able to find a solution to. I would need a crontab command to reload the Nginx, Dovecot and Postfix programs in order to automatically enable the automatically renewed Let`s Encrypt certificate. I want the certbot crontab to run once a day at 00:00 at night.

I would be very grateful if someone could give me the command I needed so I could just attach it. I don’t have much knowledge of the Crontab command, and I have a little poor English proficiency. I have to use quite a lot of google compiler.

My domain is: isosomppi.fi

I ran this command:

It produced this output:

My web server is (include version): Nginx 1.10.3

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: virmach.com

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Certbot 0.28.0

9peppe · April 3, 2020, 12:38pm

You mean a command like this?

certbot renew --deploy-hook "systemctl reload postfix dovecot nginx"

See: https://certbot.eff.org/docs/using.html

--deploy-hook DEPLOY_HOOK

Command to be run in a shell once for each
successfully issued certificate. For this command, the
shell variable $RENEWED_LINEAGE will point to the
config live subdirectory (for example,
"/etc/letsencrypt/live/example.com") containing the
new certificates and keys; the shell variable
$RENEWED_DOMAINS will contain a space-delimited list
of renewed certificate domains (for example,
"example.com www.example.com" (default: None)

Mazufa · April 3, 2020, 12:53pm

Yes, that’s exactly what I mean. My current Crontab command is in this image. To this should only be added the launch of Dovecot, Postfix and Nginx after automatic renewal so that the new SSL certificate will be applied automatically.

However, I’m not sure how I should edit this command to make sure everything is correct.

9peppe · April 3, 2020, 12:56pm

Leave that alone, show me the output of systemctl list-timers --all

you probably just need to add a line like this in /etc/letsencrypt/renewal/your_cert_name.conf

renew-hook = systemctl reload postfix dovecot nginx

Mazufa · April 3, 2020, 1:17pm

Here are the results you asked for.

I haven’t edited the certbot crontab command yet.

9peppe · April 3, 2020, 1:19pm

don’t edit the crontab, your certbot timers are taking care of your certificate renewal needs.

just add that line on the /etc/letsencrypt/renewal/your_cert_name.conf file.

Mazufa · April 3, 2020, 1:25pm

So add this command ?: renew-hook = systemctl Reload postfix dovecot nginx

to this file ?: /etc/letsencrypt/renewal/your_cert_name.conf

Does that file still sound empty? It’s empty for me and there’s nothing there.

9peppe · April 3, 2020, 1:27pm

not literally your_cert_name.conf, the relevant file for your certificate.

Mazufa · April 3, 2020, 1:35pm

So is there something wrong with the settings? I haven’t configured the entire server myself. Let`s Encrypt and all mail programs have been configured by a virmach.com company technician.

However, the auto-renewed certificate is not enabled automatically and that is my problem.

Google translator may also mix things up, and I apologize if I have understood something wrong.

9peppe · April 3, 2020, 1:41pm

It looks like it is, from my point of view.

Mazufa · April 3, 2020, 2:29pm

You didn’t seem to understand my problem. I’m sorry if google translator because of embarrassment.

I want Postfix, Nginx and Dovecot to reload automatically when Certbot renews my certificate. After all, the renewed certificate will not be used unless the programs I mentioned are reloaded. So how should I modify this command so that Postfix, Nginx and Dovecot are reloaded when Let`s Encryt SSL is reload automatically. This is my command: 0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(43200))’ && certbot -q renew

I understand that this file is OK: /etc/letsencrypt/renewal/your_cert_name.conf

9peppe · April 3, 2020, 2:35pm

that line in your crontab does nothing because your system uses systemd and certbot uses a systemd timer to handle automatic renewals.

by adding that line in your /etc/letsencrypt/renewal/mail.isosomppi.fi.conf you tell certbot “whenever you have renewed this certificate, run this command”

Mazufa · April 3, 2020, 3:59pm

Now I understood what you meant

So I add this command renew-hook = systemctl Reload postfix dovecot nginx to this file ?: /etc/letsencrypt/renewal/mail.isosomppi.fi.conf

mail.isosomppi.fi is the webmail and iredadmin subdomain of my email server. isosomppi.fi is my domain. Will I also add that command to /etc/letsencrypt/renewal/isosomppi.fi.conf?

9peppe · April 3, 2020, 4:04pm

you need to adapt the command, each config file should have a different command, to reload the services using that specific certificate.

system · May 3, 2020, 4:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.