Yes, that seems to match what I’ve got in my previous post, albeit with some formatting issues. Make certain that you put the pound sign (#) in front of the first line as I’ve specified as it is a comment. Without it, your file won’t work.
Ok great now i know what to do. I did correct that put if i put the # next to it it goes big so i removed the space. Im guessing on Acme on pfSense i will required seperate Certs ?
Thanks.
Jack.
Ah. For posting purposes in this forum, you can put a backslash (\) right before the pound sign (#) to "escape" the pound sign, which will then simply be printed as a regular character. The backslash won't be printed. Obviously don't do this in the actual file you create.
I'm not totally sure here. Usually the primary reason you would need separate certs is if the environments of the webservers are separate (e.g. different machines).
Im using Acme Package with HaProxy for the Web side of things for Webmail then Certbot to obtain the Cert for Postfix and Dovecot if that makes sense?
I’m not too familiar with that setup, so I don’t want to steer you wrong. My rule of thumb for generating separate certificates is:
If you find yourself needing to copy a private key to a different device, you probably should generate a separate certificate.
That said, @_az was very wise in counseling you not to generate separate certificates to avoid having to create SNI maps. This is so that all of the servers would be serving the same certificate with all of the domains included. Thus it wouldn’t matter which server actually serves the certificate when a request is made, regardless of the domain (server) being requested. It’s a bit like an employee at a store giving a standard greeting regardless of what the customer wants. This only applies for multiple webservers on a single device (ip) though.
I'm pretty sure the dns_digitalocean_token = TOKEN needs to be a separate line, not directly after the comment before it.
1 Like
Ok awesome i will do what you suggested for Certbot and i will create the Certs of Acme on pfsense for Haproxy to serve the webmail per mail domains.
I think that sounds right based on my digestion of this long topic. Be sure to review the prior posts to be sure you have everything in order. @Osiris makes a very good point. Sometimes in this forum it is difficult to see line breaks clearly, but they are crucial in configuration files. You should have two lines only in your Digital Ocean credentials file:
- The comment preceded by pound (#).
- The line specifying your token.
ok sweet you mean i should have a # infront of DigitalOcean API credentials used by Certbot dns_digitalocean_token =
API key under the first line ?
You really need to work on formatting your posts, mate. 
Line 1 (exactly this):
# DigitalOcean API credentials used by Certbot
Line 2 (exactly this, except replace token with your actual token):
dns_digitalocean_token = token
Yes like this. Its hard to get the formatting correct on forums. Sorry about that. Then to fix the permissions sudo chmod 600 digitalocean.ini
then run the following,
certbot certonly --cert-name mailcert --dns-digitalocean --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini --dns-digitalocean-propagation-seconds 60 -d mail.domain1.com,mail.domain2.com,etc
Bingo. 
You got it my friend. 
You caught me on the not escaping the pound. I already fixed it though.
My comment was referring to this, well, mess:
Line breaks and punctuation. Not your enemies. 
1 Like
Thank you sir 
i shall plan my downtime later on tonight as i dont get many emails in the night like i do in the day due to clients.
Thank you.
1 Like
Godspeed and let us know how it goes.
1 Like
I sure will thank you 
1 Like
Downtime? 
1 Like
Yes as ive got to upgrade my Mail Server it is running 16.04.
1 Like
Just an update.
I think i missed something out do i need a cron for this im guessing i do? is this correct?
sudo crontab -e
@daily certbot renew --quiet && systemctl reload postfix dovecot nginx
Thanks.
Jack.
1 Like
Yeah, since you’re using certonly you’ll need to create that for automatic renewals. I don’t believe you need the reloads in the cron if you’ve included --post-hook "service postfix reload; service dovecot reload;", which is probably the better way to go.
you mentioned i dont need reloads in cron where would this go in? --post-hook "service postfix reload; service dovecot reload;
im guess i need this then? @daily certbot renew --quiet && --post-hook "service postfix reload; service dovecot reload;