Post Hook and Qmail/Dovecot

I created a multi-domain certificate to secure all our various mail server domains and it’s running perfectly. However, I need to be able to properly and automatically renew the certificate against qmail and dovecot and that’s where things get tricky.

Qmail requires that the privkey and full chain are cat’d together, and the resulting file is then copied to a different directory, and finally that three different services via daemontools are restarted (imap, smtpd, and smtpd-auth).

Here’s what needs to happen (only on a successful renewal):

cat /etc/letsencrypt/live/mail.example.com/privkey.pem /etc/letsencrypt/live/mail.example.com/fullchain.pem > /var/qmail/control/servercert.pem
cp servercert.pem /var/qmail/control/servercert.pem
chown vpopmail.vchkpw /var/qmail/control/servercert.pem
chmod 640 /var/qmail/control/servercert.pem
svc -d /service/imap
svc -d /service/qmail-smtpd
svc -d /service/qmail-smtpd-auth
svc -u /service/imap
svc -u /server/qmail-smtpd
svc -u /server/qmail-smtpd-auth

Right now, I have a post_hook line in my renewal config file that restarts apache and that works perfectly, but I’m not sure how I get it to do all the rest of what is needed, and only when this specific certificate is successfully renewed. I do not want this to happen every time any certificate on this server (and there are many) is renewed.

1 Like

bash executable "script" file.

If you have multiple certs and only wish to run these commands when only one is renewed, then you will need to call the ACME client specifically for just that one cert before calling it to renew all certs.

In whichever case, you will need to use --deploy-hook.
As per: User Guide — Certbot 1.21.0 documentation

image

If you are using a different ACME client, you will need to review their documentation for a similar feature.

1 Like

Thank you. I am using certbot-auto and have extensively read through the docs before posting. I was more looking for an actual solution rather than pointing me to reading through the docs again. I am not a programmer and just need the cert to automatically update.

1 Like

I understand you are NOT a programmer but your request requires some programming.
This can’t be avoided.
It doesn’t seem very complicated and only needs to be done right ONCE.

Unfortunately anyone with a few dollars and a desire to become a system administrator… can be.
If you are NOT up to the job, then it might be time for a more skilled/trained person to takeover.
Don’t get me wrong, if you are going to do this but it will take you 50 hours… is it really worth it?

Sadly, this is a forum for LetsEncrypt and related ACME clients - all of which appear to be working as expected in your case.
As you stated “I need to be able to properly and automatically renew the certificate against qmail and dovecot and that’s where things get tricky.
Tricky indeed, there is no simple answer to that request - no one-click button (that I know of - but, again, this may not be the right forum for that kind of request) and it will require some (minimal) programming skill to create/test/implement a working solution.

As for the link I provided, I pointed you in the right direction (--deploy-hook instead of --post-hook) and showed the doc link as a reference. We are not here to “do-it-for-anyone”… We are here to help when those who “do-it-themselves” try and fail and those failures are within the systems and services we provide support for.

[that seems very long-winded - oh well… c’est la vie]

1 Like

Here's a tip for this combination: Certbot sets a RENEWED_DOMAINS environment variable. Your script can inspect that variable to decide whether to take extra actions, like concatenating certs/keys into one file.

Please don't forget to set an appropriate umask, or otherwise make sure that any files containing key material will have secure modes.

3 Likes

like

if echo "$RENEWED_DOMAINS" | grep -q example.com
then
# some stuff
fi

(Note that this isn’t quite correct because it will match on example.com as a substring of any renewed domain, like example.community.example.net. A more correct but certainly harder to understand version is if echo "$RENEWED_DOMAINS" | tr ' ' '\n' | grep -qx example.com or something like that.)

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.