I used certbot in standalone mode to set up TLS certs for a mailserver running postfix. The basic approach is outlined here:
Once I had added a TLSA record for port 25 in the DNS record, DANE validated for smtp on that server.
For the renewals, I would rather use the approach described in part 2 of the above in which the existing CSR is used so that the TLSA hash value remains the same and I won’t have to update the DNS record manually every three months or so.
However, I don’t entirely understand the behaviour of -csr.
I run this command:
certbot certonly \ --standalone \ --agree-tos \ --email root@mydomain \ --renew-by-default \ --domains mx2.mydomain \ --csr /usr/local/etc/letsencrypt/csr/0007_csr-certbot.pem \ --keep
It seems to run fine, no errors. But it also does not indicate whether or not the certificate is about to expire and needs to be renewed; IOW, whether it is actually going through the renewal process.
I see these three files in the working directory:
0000_cert.pem 0000_chain.pem 0001_chain.pem
Is it now simply a matter of having my script copy 000_cert.pem and 0000_chain.pem to resp.
Am I missing something here?