On renewing letsencrypt..?

I have successfully set up my server to use letsencrypt SSL for HTTPS and for IMAP/POP3/SMTP AND I MUST SAY-- THIS IS AWESOME. Thank you!
I did it following the how-to-forge along with this post to help setting up the email part:
https://www.howtoforge.com/community/threads/letsencrypt-on-mail-server.73695/
Now-- I don't understand how to go about keeping my certs renewed? It seems there are two mechanisms going on here, something about a cron, and something about a built-in renewal feature of ISPconfig, and I am not sure if I need to do anything or not now. I want to keep the certificate renewed on this mail server for both http AND email! How do I ensure I have this renewal stuff properly setup?

Thanks.

 

Can I get an official answer on this, I find lots of different people using different methods to keep their certs renewed, and I am not sure that everybody is using the certs for BOTH web AND email... I need to set this up the best way possible. Thank you.

 

If you have created the certificate using the ISPConfig control panel it will get automatically renewed. All my websites (www.domain.com etc) have certificates created by the control panel and these automatically renew.

If you have manually created certificates for sub domains these will need to be manually renewed. For example, I manually created certificates for sub domains such as pop.domain.com, ftp.domain.com etc and these needed to be renewed manually - I just re-ran the command I used to initially create them. I got emails from the 'Let's Encrypt Expiry Bot' well in advance letting me know which ones were about to expire so it is easy enough to remember to do them.

 

So it sounds like I may not have to do anything, but if I do run into trouble, I will just re-run this from the guide I followed:

Code:

certbot auth --text --agree-tos --standalone --email postmaster@`hostname -d` -d `hostname -f` -d mail.`hostname -f`

 

@till
It appears by following the guide I referenced above, I now have two instances of certbot installed.
both "certbot" and "letsencrypt" are commandable, see,

Code:

root@mail:/etc/letsencrypt# letsencrypt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
root@mail:/etc/letsencrypt# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
root@mail:/etc/letsencrypt#

Am I wrong to think that ISPconfig is going to update letsencrypt but not certbot? Or is that not how I am setup here.

 

The reason I think you need to manually update manually created certificates is that I read (a while ago) that the domains need to be re-validated every time they are updated. If they are not web accessible domains then the LetsEncrypt program has nowhere to place its file it uses to check that they exist. (ie manually created pop.domain.com will not have an associated website), this is why when manually creating them you need to stop the web server, run the 'certbot --standalone' so it runs its own temporary server and then when it is done restart the web server.

I have not looked in to this recently so if the above is wrong I would be happy to hear it.

 

@till looking in /etc/letsencrypt/live i see mail.domain.com and domain.com ... So it is safe to assume both of these will keep updated by ispconfig?

 

got it. thanks

 

I have had a look as to why certificates were not renewing and have documented my findings in the following thread:

https://www.howtoforge.com/community/threads/letsencrypt-on-mail-server.73695/page-2#post-357516