Certbot renew and postfix issues with sni_map

I have slowly learned when doing letsencrypt certbot renew byt simply doing both:

certbot renew --dry-run
certbot renew

Then a little later I started having issues with dovecot and postfix and learned that I should be restart these services.

However, I started getting issues with clients like thunderbird and cell phones saying that the certificate is expired still. Doing some test with openssl I can see that its pointing to an old certificate, yet everything is correctly configured on the system pointing the right places etc.

but postfix eventually give me the certificate expired

I always have to do

postmap -F /etc/postfix/sni_map

From what I can see everything seems ok after that and openssl now shows the new dates expiration

So should I be doing the following every time I certbot renew? I would like to ensure I do the correct procedures when it is time for renewal.

certbot renew

postmap -F /etc/postfix/sni_map
systemctl restart postfix / or reload
systemctl restart dovecot

I am using virtualmin
The system is configured for multiple domains
Operating system Debian Linux 11

My web server is (include version): apache2

My hosting provider, if applicable, is: VM

I can login to a root shell on my machine (yes):

I'm using a control panel to manage my site (no):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

You can use a deploy hook for the necessary commands after a renewal. See User Guide — Certbot 4.0.0 documentation for information about the hooks.. (You need to scroll down a little bit.)

And yes, apparently running postmap after a renewal is necessary for Postfix to pick up the new certificate. It doesn't use the files directly, so just a reload isn't enough.

3 Likes

May I suggest that you also do the two restarts AFTER the postmap and not before ?

4 Likes

thank you all for the comments
@Buffalo yes, sorry I did not put that in order, but I understand why we would start with postmap

1 Like

Not sure if that's also the case after running postmap, but with regular certificate renewals, Postfix automatically picks up the new certs. Maybe a restart isn't even required after postmap too. Also, a reload is usually the better choice instead of a restart, if a reload is necessary.

2 Likes

Postfix is supposed to re-read configurations often ... belt and suspenders - I don't know how dovecot handles such things.

2 Likes