Topic: Critical Issue with Cron Job Installed by iRedMail Easy
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 2025012401 (Backend: mariadb, Date: 2025-01-27 21:52:55) iRedMail Easy
- Deployed with iRedMail Easy or the downloadable installer? iRedMail Easy
- Linux/BSD distribution name and version: Debian 12
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
System Specifications:
CPU: 16 cores, 1699 MHz
Memory: 128 GB (1 GB active)
Storage: 15 TB (Thick Provision Eager Zeroed)
Problem Description: Critical Issue with Cron Job Installed by iRedMail Easy – Services Left Without Valid Certificates
Dear Team,
It has been observed that the iRedMail Easy installation sets up an incorrect cron job for automatically renewing Let's Encrypt certificates. Due to this issue, services relying on certificates may be left without valid ones, causing email and web services to fail.
Faulty Cron Job Installed by iRedMail Easy:
1 3 * * * certbot certificates; certbot renew --post-hook 'ln -sf /etc/letsencrypt/live/mail.xxx.xx/privkey.pem /opt/iredmail/ssl/key.pem; /usr/sbin/systemctl restart postfix dovecot nginx'
Problems with This Configuration:
Unnecessary Execution of certbot certificates
This command only prints certificate details and has no impact on the renewal process.
Incorrect Path for systemctl
The command /usr/sbin/systemctl is not correctly positioned in the PATH, meaning services do not restart even when certificates are renewed.
As a result, services continue using expired certificates, as the new one is not loaded.
Due to this misconfiguration, services may lose access to valid TLS certificates, potentially causing issues with email communication, web services, and any other services relying on TLS certificates.
I suggest correcting the cron job by using --deploy-hook instead of --post-hook, which will trigger a specially written script only when the certificate is actually renewed. The script will automatically update the symbolic link and restart the services, preventing unnecessary service restarts if the certificate has not changed.
Please take this as a sincere and friendly suggestion.
And as I previously mentioned, please guide me.
The installation was done using iRedMail Easy, and I don’t want to make any changes that could later break the iRedMail Easy upgrade or migration to the EE version.
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.