How to force dovecot and postfix to reload with acme.sh


#1

I run ACME on centos. The renewal works. What I need is how to force reload for postfix and centos immediately after the new certificates are created. Nginx doesn’t seem to be a problem, but I suppose it should be reloaded as well.


#2

Can you link to the project for “ACME”? Might you mean Certbot? Or acme.sh? Or acmetool?

Generally this can be done with hooks, which are supported by most ACME clients.


#3

Sorry about the lack of precision. It is acme.sh as found at https://github.com/Neilpang/acme.sh


#4

This should be what you’re after: https://github.com/Neilpang/acme.sh/wiki/Using-’--pre-hook’,-’--post-hook’,-’--renew-hook’-and-’--reload-cmd’

So an example hook might be:

systemctl reload nginx; systemctl reload postfix; systemctl reload dovecot;

#5

That should work. Thanks. Now to find where I run that script, but that is my problem.


#6

Can the moderator change acme to acme.sh in the subject line? That would make the thread more useful.


#7

It took me some time to find the file locations. I have a file for each domain located in /root/.acme.sh/ . Doing a minimal of sanitizing (i.e. using mydomain.com), here is /root/.acme.sh/mydomain.com/mydomain.com.conf:

Le_Domain='mydomain.com'
Le_Alt='www.mydomain.com'
Le_Webroot='dns_dgon'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_API='https://acme-v01.api.letsencrypt.com/directory'
Le_Keylength=''
Le_LinkCert='https://acme-v01.api.letsencrypt.com/acme/cert/somelonghash'
Le_LinkIssuer='https://acme-v01.api.letsencrypt.com/acme/issuer-cert'
Le_CertCreateTime='1549932260'
Le_CertCreateTimeStr='Tue Feb 12 00:44:20 UTC 2019'
Le_NextRenewTimeStr='Sat Apr 13 00:44:20 UTC 2019'
Le_NextRenewTime='1555029860'
Le_RealCertPath=''
Le_RealCACertPath=''
Le_RealKeyPath='/root/certs/mydomain.com/mydomain.com.key'
Le_ReloadCmd='service nginx force-reload'
Le_RealFullChainPath='/root/certs/mydomain.com/fullchain.cer'

So I’m assuming I would add the following lines:

Le_ReloadCmd='systemctl reload postfix'
Le_ReloadCmd='systemctl reload dovecot'

I’m probably using an abundance of caution, but certs are tricky and doing it wrong breaks everthing!

How does this look?


#8

Hmmm. I don’t know if acme.sh can handle separate declarations of the same variable like that - aren’t they just shell variables that would overwrite each other?

Maybe just chain the commands together into a single line like I did it my earlier post?


#9

Sure. Just replace the service nginx line with

Le_ReloadCmd='systemctl reload nginx;systemctl reload postfix;systemctl reload dovecot'