Greetings, On Tue, 20 Feb 2024 16:43:27 +0100, m...@phosphorus.com.br wrote: > > Which setup are you using to automatically update certs with certbot, in > cron, and keeping /etc/httpd.conf updated accordingly? >
I use records in /etc/acme-client.conf like: authority letsencrypt { api url "https://acme-v02.api.letsencrypt.org/directory" account key "/etc/acme/letsencrypt-privkey.crt" } domain mx1.catap.net { alternative names { mx.catap.net } domain key "/etc/ssl/private/mx1.catap.net.key" domain full chain certificate "/etc/ssl/mx1.catap.net.crt" sign with letsencrypt } which is very similar to an example with one notable exception: I use path which complaint with relayd pki settings, and also keep full chain. The certificates is updated on two possible way. When a machine is dedicated for a single service and it has only one certificate I keep inside /etc/daily.local acme-client $(hostname) && /usr/sbin/rcctl restart relayd smtpd dovecot which restart relayed daemons when certificate is updated. Or machine which is used as web hosting with multiple domain, here I use relayd to terminate SSL and update is via /etc/daily.local as: SSL_UPDATED=0 for domain in $(awk '/^domain/ { print $2 }' /etc/acme-client.conf) do acme-client $domain && SSL_UPDATED=1 done if [ $SSL_UPDATED -ne 0 ]; then rcctl restart relayd fi -- wbr, Kirill