1

Topic: Let's encrypt certificate renewal automatically and services restart

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version: Ubuntu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? iRedAdmin
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,

In my iRedmail install, I think I got the 1st let's encrypt certificate renew yesterday and on browser/mail checking apps  and iPhone, it started to show private/invalid/expired certificate.

When i checked with "certbot certificates", I see it is still valid.

Two questions:

1. Is there a way/command to check what is the last renewal date? I need to check whether this is the issue.
2. After I reloaded dovecot, postfix & nginx, certificate pop up messages/errors disappeared. I found that we need to stop these services before renew and then after renew, we should restart these services. I found below "pre" and "post" folders are empty. Does iRedmail comes with scripts to do these or we need to build scripts to pre-stop and post-start these?

If someone can explain how to setup or link to show how let's encrypt renewal setup automatically on iRedmail, that will be great.


root@smtp:/etc/letsencrypt/renewal-hooks# ls -l
total 12
drwxr-xr-x 2 root root 4096 Mar 16 11:46 deploy
drwxr-xr-x 2 root root 4096 Mar 16 11:46 post
drwxr-xr-x 2 root root 4096 Mar 16 11:46 pre
root@smtp:/etc/letsencrypt/renewal-hooks# ls -l pre/
total 0
root@smtp:/etc/letsencrypt/renewal-hooks# ls -l post/
total 0
root@smtp:/etc/letsencrypt/renewal-hooks# ls -l deploy/
total 0
root@smtp:/etc/letsencrypt/renewal-hooks#

Awaiting replies,

Mathew

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by Neutro 2019-06-14 15:38:01)

Re: Let's encrypt certificate renewal automatically and services restart

Hey,

From https://docs.iredmail.org/letsencrypt.html

How to check cert status
Run command:

certbot certificates
It will show you all existing certs and expiry date.

The renewal-hooks folders are also empty on my server while SSL is enabled everywhere with letsencrypt certs so it's pretty normal i guess smile

If someone can explain how to setup or link to show how let's encrypt renewal setup automatically on iRedmail, that will be great.

From the same documentation:

Renew the cert automatically
You can setup a daily cron job to run command certbot renew to renew all existing ssl certs which will expire in less than 30 days. We need its --post-hook argument to restart network services to load renewed ssl certs.

A sample cron job that runs at 3:01AM everyday, and restart postfix/nginx/dovecot after renewed:

1   3   *   *   *   certbot renew --post-hook 'service postfix restart; service nginx restart; service dovecot restart'

3

Re: Let's encrypt certificate renewal automatically and services restart

Hi Neutro,

Thank you for the prompt reply and I red about that command line. I understand it will fix my server issue.

When I checked with command "crontab -l" when logged into root mode on my iRedmail server, I noticed the below line, possibly added by the package "certbot" automatically. And "cron" service is running and I am with Ununtu 18.04.

Should I comment this line and add the line suggested by you or we need both lines?

#letsencrypt auto-renew - double check before uncommenting as it is there - /etc/cron.d/certbot
12 3 * * *   letsencrypt renew >> /var/log/letsencrypt/renew.log


Neutro wrote:

Hey,

From https://docs.iredmail.org/letsencrypt.html

How to check cert status
Run command:

certbot certificates
It will show you all existing certs and expiry date.

The renewal-hooks folders are also empty on my server while SSL is enabled everywhere with letsencrypt certs so it's pretty normal i guess smile

If someone can explain how to setup or link to show how let's encrypt renewal setup automatically on iRedmail, that will be great.

From the same documentation:

Renew the cert automatically
You can setup a daily cron job to run command certbot renew to renew all existing ssl certs which will expire in less than 30 days. We need its --post-hook argument to restart network services to load renewed ssl certs.

A sample cron job that runs at 3:01AM everyday, and restart postfix/nginx/dovecot after renewed:

1   3   *   *   *   certbot renew --post-hook 'service postfix restart; service nginx restart; service dovecot restart'


Regards,

Mathew

4

Re: Let's encrypt certificate renewal automatically and services restart

You're welcome smile

certbot (the program used for everything for letsencrypt) was previously called... letsencrypt wink

So :

letsencrypt renew >> /var/log/letsencrypt/renew.log

is probably a remnant of the past.

If your packages are up to date "letsencrypt renew" should not work anymore.

The command that is in the iredmail documentation is thus the right one.

You can run it manually on your server with no problem as much as you want.

Personally i changed the cron for it so it's launched only every 28th of every month since once a month is enough for renewal.

5

Re: Let's encrypt certificate renewal automatically and services restart

Hi Neutro,

Thanks. I have setup my iRedmail server cron accordingly now.

Neutro wrote:

You're welcome smile

certbot (the program used for everything for letsencrypt) was previously called... letsencrypt wink

So :

letsencrypt renew >> /var/log/letsencrypt/renew.log

is probably a remnant of the past.

If your packages are up to date "letsencrypt renew" should not work anymore.

The command that is in the iredmail documentation is thus the right one.

You can run it manually on your server with no problem as much as you want.

Personally i changed the cron for it so it's launched only every 28th of every month since once a month is enough for renewal.