Dnia 23.11.2025 o godz. 00:18:12 Viktor Dukhovni via Postfix-users pisze: > Combining Let's Encrypt with DANE can be tricky, because by default your > private key changes automatically with every renewal and it is not
For everybody using LetsEncrypt certs, I'd recommend the very simple shell script "bacme" (link available from LetsEncrypt page listing client implementations: https://letsencrypt.org/docs/client-options/ ) instead of probably much more popular and (in my view) complicated solutions like Certbot. For me the advantage of this script is that it doesn't do anything "behind your back" (which I have the impression the other clients do), it only generates certs one time and you must call it explicitly to do it. By default this script also generates new private key with each renewal, but it was quite simple for me to modify it to use already existing key and CSR if they exist. Works very well. I have already renewed the certs several times with this script and private keys stay the same. I call the script from a cron job that runs daily and first runs certwatch to check if the cert is about to expire. If the cert is about to expire soon (I use 7 days, but you can of course change it as suitable), the "bacme" script is called to generate new certs. My solution is actually intended primarily to renew certs for websites hosted on my server, but Postfix and Dovecot are configured to re-use the certs for my main website (however, I don't use DANE yet). -- Regards, Jaroslaw Rafa [email protected] -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
