1 (edited by pawtracks 2020-07-31 08:03:40)

Topic: Let's encrypt renewal error upon service restart

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.1
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version: CentOS Linux release 7.8.2003 (Core)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL/MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

My Let's Encrypt SSL cert renewal cron appears to be working, just had the first renewal at the (expires in 30 days point) last week.
I noticed in the daily email that the service restart command exited with an error and have been unable to determine how to fix it.

# Let's Encrypt SSL certificate renewal
38 21 * * * certbot renew --post-hook 'service postfix restart; service nginx restart; service dovecot restart'

running the command [service postfix status] shows all 3 restarted pretty close to the same time and matches the log below.

#log
2020-07-22 21:42:26,756:DEBUG:acme.client:Storing nonce:
2020-07-22 21:42:26,758:DEBUG:certbot._internal.storage:Writing new private key to /etc/letsencrypt/archive/[domain]/privkey2.pem.
2020-07-22 21:42:26,758:DEBUG:certbot._internal.storage:Writing certificate to /etc/letsencrypt/archive/[domain]/cert2.pem.
2020-07-22 21:42:26,759:DEBUG:certbot._internal.storage:Writing chain to /etc/letsencrypt/archive/[domain]/chain2.pem.
2020-07-22 21:42:26,759:DEBUG:certbot._internal.storage:Writing full chain to /etc/letsencrypt/archive/[domain]/fullchain2.pem.
2020-07-22 21:42:26,766:DEBUG:certbot._internal.cli:Var post_hook=service postfix restart; service nginx restart; service dovecot restart (set by user).
2020-07-22 21:42:26,768:DEBUG:certbot._internal.storage:Writing new config /etc/letsencrypt/renewal/[domain].conf.new.
2020-07-22 21:42:26,772:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2020-07-22 21:42:26,773:DEBUG:certbot._internal.renewal:no renewal failures
2020-07-22 21:42:26,773:INFO:certbot._internal.hooks:Running post-hook command: service postfix restart; service nginx restart; service dovecot restart
2020-07-22 21:42:33,088:ERROR:certbot._internal.hooks:Error output from post-hook command service:
Redirecting to /bin/systemctl restart postfix.service
Redirecting to /bin/systemctl restart nginx.service
Redirecting to /bin/systemctl restart dovecot.service

#Email message
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/[domain].conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Non-interactive renewal: random delay of 257.566080286 seconds
Plugins selected: Authenticator web-root, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for [domain]
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/[domain]/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/[domain]/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: service postfix restart; service nginx restart; service dovecot restart
Error output from post-hook command service:
Redirecting to /bin/systemctl restart postfix.service
Redirecting to /bin/systemctl restart nginx.service
Redirecting to /bin/systemctl restart dovecot.service

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Let's encrypt renewal error upon service restart

Which ssl cert/key files are you using in Postfix/Dovecot/Nginx? If they're symbol links, please make sure they are linked to files under /etc/letsencrypt/live/.

3

Re: Let's encrypt renewal error upon service restart

These are my install notes from SSL setup.
mv /etc/pki/tls/certs/iRedMail.crt{,.bak}       # Backup. Rename iRedMail.crt to iRedMail.crt.bak
mv /etc/pki/tls/private/iRedMail.key{,.bak}     # Backup. Rename iRedMail.key to iRedMail.key.bak
ln -s /etc/letsencrypt/live/[FQDN]/fullchain.pem /etc/pki/tls/certs/iRedMail.crt
ln -s /etc/letsencrypt/live/[FQDN]/privkey.pem /etc/pki/tls/private/iRedMail.key


It appears everything is working with the SSL cert, the auto/cron renewal too.
Just curious about the error message at the very end (post-hook command), which I think is related to the (3) services to be restarted.

The email and log files are very light on details.
Safe to ignore, or something that could be corrected?

4

Re: Let's encrypt renewal error upon service restart

pawtracks wrote:

Just curious about the error message at the very end (post-hook command), which I think is related to the (3) services to be restarted.
The email and log files are very light on details.
Safe to ignore, or something that could be corrected?

It's "systemd", it logs this message. Safe to ignore.