Greetings,
On Tue, 20 Feb 2024 16:43:27 +0100,
m...@phosphorus.com.br wrote:
>
> Which setup are you using to automatically update certs with certbot, in
> cron, and keeping /etc/httpd.conf updated accordingly?
>
I use records in /etc/acme-client.conf like:
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory";
account key "/etc/acme/letsencrypt-privkey.crt"
}
domain mx1.catap.net {
alternative names { mx.catap.net }
domain key "/etc/ssl/private/mx1.catap.net.key"
domain full chain certificate "/etc/ssl/mx1.catap.net.crt"
sign with letsencrypt
}
which is very similar to an example with one notable exception: I use
path which complaint with relayd pki settings, and also keep full chain.
The certificates is updated on two possible way.
When a machine is dedicated for a single service and it has only one
certificate I keep inside /etc/daily.local
acme-client $(hostname) && /usr/sbin/rcctl restart relayd smtpd dovecot
which restart relayed daemons when certificate is updated.
Or machine which is used as web hosting with multiple domain, here I use
relayd to terminate SSL and update is via /etc/daily.local as:
SSL_UPDATED=0
for domain in $(awk '/^domain/ { print $2 }' /etc/acme-client.conf)
do
acme-client $domain && SSL_UPDATED=1
done
if [ $SSL_UPDATED -ne 0 ]; then
rcctl restart relayd
fi
--
wbr, Kirill
