I did follow the steps from the following tutorial during the upgrade from Debian 10 to Debian 11: https://forum.howtoforge.com/threads/replacing-incron-with-systemd.88477/ The tutorial indicates that incron is deprecated, so I have to replace the script that monitors certificates changes (which automatically restart services). I am a bit worried, because I did notice the folder "/etc/letsencrypt" - which indicates I am running Certbot. I did also notice these lines: Code: [Unit] Description="Monitor the mailserver certificate files to trigger a e-mail services restart after the certificates has been renewed" [Path] PathModified=/root/.acme.sh/mail.example.com/ Unit=le-mailserver-restart.service [Install] WantedBy=multi-user.target I don't have the "/root/.acme" folder. But I do have the "/etc/letsencrypt" folder. Can I simply point "PathModified" to eg "/etc/letsencrypt/live/example.com" instead? Or are there more changes required? Another question is: should I change from using Certbot to ACME? Or is it better to stick with Certbot? Background: I did install my VPS on the 1st of January 2019. That installation was based on Debian 9. I did follow the tutorial The Perfect Server - Debian 9 (Stretch) with Apache, BIND, Dovecot, PureFTPD and ISPConfig 3.1. I did upgrade my VPS to Debian 10 some time ago and now I am running Debian 11 (after upgrading again). So, my guess is that Certbot is "legacy" of the past. I'm not sure what's best to do in this situation.
Certbot works fine but you have to remove apt install and reinstall using snap as instructed via certbot website. That said you can change that to acme.sh as that is reported as possible and works fine too. About the incron being replace by systemd approach, I think that is basically for mail server or other server that needs different FQDN than the server hostname FQDN. In normal server setup that doesn't need it, using ISPConfig installer should work out of box, and in that situation, if there is incron from the past, you only need to remove it thoroughly before force updating ISPConfig and select SSL during that process.
That's not the case. Certbot and acme.sh are both supported equally. We use acme.sh as client for new setups as its easier to install and does not require snap. Existing setups should stay with the LE client that they were installed with. If your system uses certbot, then keep certbot. Switching to acme.sh is impossible without removing and recreating all certificates. What has changed regarding certbot is that the makers of certbot prefer installation via snap now, so on Debian 11, you install certbot with snap as described on the certbot website instead of using apt.
Thanks @till and @ahrasis. I've got three weeks off from work. That's why I'm working on updates and trying to organize my server better. Good to read that Certbot and acme.sh are both supported. I'll go ahead and replace the Debian package of Certbot with the snapd package (although to my opinion snapd doesn't look appealing). I have one more question. I run a website on the same subdomain as ISPConfig. This is a landing page. That is why I was using the incron based script. For Dovecot and Postfix the following is being used: In the dovecot.conf I use the 'ssl_cert', 'ssl_key' of postfix: Code: ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key Code: # ls -lahsi /etc/postfix/smtpd.cert && ls -lahsi /etc/postfix/smtpd.key 2893374 0 lrwxrwxrwx 1 root root 48 Apr 13 2021 /etc/postfix/smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt 2893900 0 lrwxrwxrwx 1 root root 48 Apr 13 2021 /etc/postfix/smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key For ISPConfig there's a link with the fles in the LE live directories: Code: # ls -lahsi /usr/local/ispconfig/interface/ssl/ispserver.crt && ls -lahsi /usr/local/ispconfig/interface/ssl/ispserver.key 6816125 0 lrwxrwxrwx 1 root root 52 Apr 13 2021 /usr/local/ispconfig/interface/ssl/ispserver.crt -> /etc/letsencrypt/live/s1.gigabitjes.nl/fullchain.pem 6816249 0 lrwxrwxrwx 1 root root 50 Apr 13 2021 /usr/local/ispconfig/interface/ssl/ispserver.key -> /etc/letsencrypt/live/s1.gigabitjes.nl/privkey.pem I did not choose to renew the SSL certificate of ISPConfig during the upgrade because it's configured like it is. Last time when I did that things didn't work anymore. So, I prefer not to renew the SSL certificat for ISPConfig during an upgrade (of ISPConfig). That means I still will need something that restarts Postfix and Dovecot when the certificate for s1.gigabitjes.nl is renewed. Right? Do you think it would work when I just go ahead and change the line "PathModified=/root/.acme.sh/mail.example.com/" into "PathModified=/etc/letsencrypt/live/example.com" of the service "/etc/systemd/system/le-mailserver-restart.service"? I think I would like to include the FTP server too as it uses the certificate too: Code: # ls -lahsi /etc/ssl/private/ total 16K 2884045 4.0K drwx--x--- 2 root ssl-cert 4.0K Apr 13 2021 . 2884042 4.0K drwxr-xr-x 4 root root 4.0K Jul 21 22:08 .. 2885802 4.0K -rw-r--r-- 1 root root 424 Jan 4 2019 pure-ftpd-dhparams.pem 2893909 0 lrwxrwxrwx 1 root root 48 Apr 13 2021 pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem Am I heading into the right direction? Or is my understanding off? Your suggestions are more than welcome. Thank you.
Yes, that's why we changed the default to certbot. But as there I no good option to change the certs of an existing system as neither certbot is able to import the config of acme.sh, nor vice versa. The best remaining option is to stick with what the server has initially been installed. Yes, I guess that should work.
Many think so too but that is the best way for now. That is understandable and systemd as tipped by @Th0m is the best approach for its replacement with minor adjustment for certbot. Yes. And should be able to do this via @Th0m systemd approach. As an advice try to use / integrate / customize default ISPConfig scripts to achieve that as well.
