So, this problem was few months back and only today I had time to revisit this question. I have separate server only for email. Users using webmail reported that there is error while logging into account. Yes, there was expired postfix cert. And ISPC use symlinked SSL for postfix/pire-ftpd. Does cert renewal is automatic or should I investigate this case each ~3 months?
LE Certs renew automatically in the default ISPConfg SSL setup and there is no need for any manual actions. But I don't know if and how you manually changed the default SSL setup, so your setup might behave differently. But If I understand your post correctly, you do not have any issues at the moment, you will see if it renews when it renews.
LE renews its certs after 60 days, so it is not really three months that you should look into. If email is setup correctly, it will warn you if your renewal attempt after that 60 days failed, giving you time in about 30 days before the expiry.
In addition to renewing the certificate, the services using that certificate must be restarted so they start using the new certificate. ISPConfig should do also this, but if you have modified the setup then you may need to look at the hook scripts that can do stuff when certificate is renewed.
Aha, now I have more clear view of the problem: * I have ISPC multi server setup; * Email server is separate, dedicated server only with SMTP and IMAP services; * When SSL expires, that email server can't renew it, I must delete ispconfig SSL certs and issue ispconfig_update.sh --force command to apply new cert and symlink to services;
No, normally the SSL cert renews automatically when created with ispconfig_update.sh. No matter if this is a email server or not. If a server has no Apache or Nginx installed, ISPConfig uses the standalone mode of the LE client instead. You should just run ispconfig_update.sh --force to fix your config nd get a new SSL cert for now; it does not have to be run regularly.
