Only because others are talking security and LetEncrypt… I put together a 
script that I run AFTER certbot renew checks are run. Figured I would include 
it here for the Qmail community to use:

 

[root@mail7 ~]# more copy_letsencrypt_files.sh

#!/bin/bash

#

# Script to copy lets encrypt files to the right area and restart the needed 
services.

#

# Initial concept by RCC 06/08.2018

#

# Test if the letsencrypt live cert.pem file was changed in the last 24 hours...

#

if test `find "/etc/letsencrypt/live/secure.carlc.com/cert.pem" -mmin +1440`

then

        echo "Cert file is older than 1440 test minutes (24 hours)... STOP!"

        exit

fi

echo "Get to work, New cert file is younger than 1440 minutes (24 hours)..."

#

#

# Dovecot just needs a restart as they are using the /etc/letsencrypt/live 
files already

#

/usr/sbin/service dovecot restart

#

# Qmail SMTP-SSL

#

# Create a new /var/qmail/control/servercert.pem-NEW

#

# NOTE: order is critical, start with private key, then URL cert, then any 
intermediate files.

#

cat /etc/letsencrypt/live/secure.carlc.com/privkey.pem > 
/var/qmail/control/servercert.pem-NEW

cat /etc/letsencrypt/live/secure.carlc.com/cert.pem >> 
/var/qmail/control/servercert.pem-NEW

cat /etc/letsencrypt/live/secure.carlc.com/chain.pem >> 
/var/qmail/control/servercert.pem-NEW

#

# Swap out files, move current to OLD then NEW to current

#

mv /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem-OLD

mv /var/qmail/control/servercert.pem-NEW /var/qmail/control/servercert.pem

chmod 644 /var/qmail/control/servercert.pem

chown root.vchkpw /var/qmail/control/servercert.pem

#

# Need to restart QMAIL

#

/etc/rc.d/init.d/qmail restart

#

# Webmin (thank you QMAIL, we can use the new PEM file as it's the same format)

#

/usr/sbin/service webmin stop

cat /var/qmail/control/servercert.pem > /etc/webmin/miniserv.pem

/usr/sbin/service webmin start

#

#

#

 

 

 

Obviously, make changes where you need to :) … I’ve had this on a few 
production QMail CentOS 7 servers [with secure.carlc.com changed to the servers 
main FQDN].

 

If this helps anyone, I’m happy.

Carl

Reply via email to