Hi all,
I used certbot in standalone mode to set up TLS certs for a mailserver running postfix. The basic approach is outlined here:
Let’s Encrypt certificates for mail servers and DANE – Part 1 of 2
Let’s Encrypt certificates for mail servers and DANE – Part 2 of 2
Once I had added a TLSA record for port 25 in the DNS record, DANE validated for smtp on that server.
For the renewals, I would rather use the approach described in part 2 of the above in which the existing CSR is used so that the TLSA hash value remains the same and I won’t have to update the DNS record manually every three months or so.
However, I don’t entirely understand the behaviour of -csr.
I run this command:
certbot certonly \
--standalone \
--agree-tos \
--email root@mydomain \
--renew-by-default \
--domains mx2.mydomain \
--csr /usr/local/etc/letsencrypt/csr/0007_csr-certbot.pem \
--keep
It seems to run fine, no errors. But it also does not indicate whether or not the certificate is about to expire and needs to be renewed; IOW, whether it is actually going through the renewal process.
I see these three files in the working directory:
0000_cert.pem
0000_chain.pem
0001_chain.pem
Is it now simply a matter of having my script copy 000_cert.pem and 0000_chain.pem to resp.
../archive/mydomain/cert1.pem
../archive/mydomain/chain1.pem
Am I missing something here?
Thanks