On renewing letsencrypt..?

Discussion in 'Installation/Configuration' started by wshakes, Mar 13, 2017.

  1. wshakes

    wshakes Member

    I have successfully set up my server to use letsencrypt SSL for HTTPS and for IMAP/POP3/SMTP AND I MUST SAY-- THIS IS AWESOME. Thank you!
    I did it following the how-to-forge along with this post to help setting up the email part:
    https://www.howtoforge.com/community/threads/letsencrypt-on-mail-server.73695/
    Now-- I don't understand how to go about keeping my certs renewed? It seems there are two mechanisms going on here, something about a cron, and something about a built-in renewal feature of ISPconfig, and I am not sure if I need to do anything or not now. I want to keep the certificate renewed on this mail server for both http AND email! How do I ensure I have this renewal stuff properly setup?

    Thanks.
     
  2. wshakes

    wshakes Member

    Can I get an official answer on this, I find lots of different people using different methods to keep their certs renewed, and I am not sure that everybody is using the certs for BOTH web AND email... I need to set this up the best way possible. Thank you.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Letsencrypt certs get renewed automatically.
     
    wshakes likes this.
  4. kerrsmith

    kerrsmith Member

    If you have created the certificate using the ISPConfig control panel it will get automatically renewed. All my websites (www.domain.com etc) have certificates created by the control panel and these automatically renew.

    If you have manually created certificates for sub domains these will need to be manually renewed. For example, I manually created certificates for sub domains such as pop.domain.com, ftp.domain.com etc and these needed to be renewed manually - I just re-ran the command I used to initially create them. I got emails from the 'Let's Encrypt Expiry Bot' well in advance letting me know which ones were about to expire so it is easy enough to remember to do them.
     
    Last edited: Mar 13, 2017
  5. wshakes

    wshakes Member

    So it sounds like I may not have to do anything, but if I do run into trouble, I will just re-run this from the guide I followed:
    Code:
    certbot auth --text --agree-tos --standalone --email postmaster@`hostname -d` -d `hostname -f` -d mail.`hostname -f`
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    As far as I know, all LE certs will get renewed, not just the ones that you generated in ispconfig. But you might have to restart the service that uses it so that it loads the new cert.
     
  7. wshakes

    wshakes Member

    @till
    It appears by following the guide I referenced above, I now have two instances of certbot installed.
    both "certbot" and "letsencrypt" are commandable, see,
    Code:
    root@mail:/etc/letsencrypt# letsencrypt
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
    root@mail:/etc/letsencrypt# certbot
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
    root@mail:/etc/letsencrypt#
    Am I wrong to think that ISPconfig is going to update letsencrypt but not certbot? Or is that not how I am setup here.
     
  8. kerrsmith

    kerrsmith Member

    The reason I think you need to manually update manually created certificates is that I read (a while ago) that the domains need to be re-validated every time they are updated. If they are not web accessible domains then the LetsEncrypt program has nowhere to place its file it uses to check that they exist. (ie manually created pop.domain.com will not have an associated website), this is why when manually creating them you need to stop the web server, run the 'certbot --standalone' so it runs its own temporary server and then when it is done restart the web server.

    I have not looked in to this recently so if the above is wrong I would be happy to hear it.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig uses the software that is installed on your server, if certbot is installed, then it uses certbot, if letsencrypt is installed, then it uses letsencrypt to create and renew ssl certs.
     
  10. wshakes

    wshakes Member

    @till looking in /etc/letsencrypt/live i see mail.domain.com and domain.com ... So it is safe to assume both of these will keep updated by ispconfig? :)
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    All LE certs get renewed automatically.
     
    wshakes likes this.
  12. wshakes

    wshakes Member

    got it. thanks
     
  13. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    till and wshakes like this.
  14. kerrsmith

    kerrsmith Member

Share This Page