letsencrypt on mail server

Discussion in 'Tips/Tricks/Mods' started by Jesse Norell, Aug 9, 2016.

  1. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Let's Encrypt on my Debian 9 host has renewal hooks, which stop and start when renewal occurs:
    Code:
    # ls -lhR renewal-hooks/
    renewal-hooks/:
    yhteensä 12K
    drwxr-xr-x 2 root root 4,0K kesä  28  2018 deploy
    drwxr-xr-x 2 root root 4,0K kesä  28  2018 post
    drwxr-xr-x 2 root root 4,0K kesä  28  2018 pre
    
    renewal-hooks/deploy:
    yhteensä 4,0K
    -rwx---r-- 1 root root 65 kesä  28  2018 05-restart-postfix-dovecot.sh
    
    renewal-hooks/post:
    yhteensä 4,0K
    -rwx---r-- 1 root root 37 kesä  28  2018 05-start-apache.sh
    
    renewal-hooks/pre:
    yhteensä 4,0K
    -rwx---r-- 1 root root 36 kesä  28  2018 05-stop-apache.sh
    
     
    Jesse Norell likes this.
  2. Ovidiu

    Ovidiu Active Member

    Sorry to revive this old thread but those of you who follow this method, are your email clients happy?

    Although my certificate has been constantly updated I have email clients who are now complaining because of letsencrypt's root certificate change which should have happened tonight.

    I'm just wondering if anyone using this method has had any issues?
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I suspect the issue has to do with their (probably very outdated) clients, not what script you are using on the server to call certbot to renew certificates. Possibly you would have problems if you are running a very dated server version as well, you might ensure your ca-certificates package is current and that you're using a current certbot version (but I would expect renewal failures if your certbot client were too old).

    For what it's worth, no, I've not heard of any related client problems (yet?).
     
  4. Ovidiu

    Ovidiu Active Member

    thanks, I figured it out. for whatever reason I had not exactly followed the step where you symlink to the fullchain cert but to the plain certificate so after changing the symlink to point to the fullchain certificate, no more problems occurred. Its jsut weird that it all worked for so many years :)
     

Share This Page