I'm curious. How do you guys do it? How do you keep your email certs straight? This is how I'm doing it now on mf1 server... root@mf1:~# ls -ahl /etc/postfix/smtpd.* lrwxrwxrwx 1 root root 48 Sep 5 07:44 /etc/postfix/smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt lrwxrwxrwx 1 root root 48 Sep 5 07:44 /etc/postfix/smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key root@mf1:~# ls -hla /usr/local/ispconfig/interface/ssl/ispserver.* lrwxrwxrwx 1 root root 46 Aug 30 09:20 /usr/local/ispconfig/interface/ssl/ispserver.crt -> /etc/letsencrypt/live/mf1.ic4.eu/fullchain.pem -rwxr-x--- 1 root root 1.7K Aug 30 08:59 /usr/local/ispconfig/interface/ssl/ispserver.csr lrwxrwxrwx 1 root root 44 Aug 30 09:20 /usr/local/ispconfig/interface/ssl/ispserver.key -> /etc/letsencrypt/live/mf1.ic4.eu/privkey.pem PS. If I add an website alias to mf1 website does that also work for postfix/dovecot cert?
Looks fine to me. What's important is that you use symlinks instead of editing the paths in postfix/dovecot config files. Yes, that should work as well.
As confirmed by @till it should work that is after you disable then save and reenable then save letsencrypt box in mf1, so that the original certs are expanded to cover the new website as well. For multi server setup, if you intend to use for it by scp or resync the certs folder to mail server, it may be good to rename in the mail server the copied /etc/letsencrypt/live/mf1.ic4.eu to the /etc/letsencrypt/live/mail.ic4.eu or symlink to it after you are done. However, note that if your mail website is using mail server fqdn but on different public ip from mf1, then creating alias website to mf1 as described above may not work. One idea I have not tested to fix that is add both public ip to mail server fqdn e.g. mail.ic4.eu A records. Again this solution is not tested but in theory it is likely to work, as safe failover on one ip supposedly go to the other ip on its A records.
I have different domains for smtp and imap. what I do is I create a symlink directly to the live folder of let's encrypt, at /etc/letsencrypt/live/domain.name smtpd.cert -> cert.pem smtpd.key -> privacy.pem
PS. When I temporarily removed the Letsencryption I of course lost the ISPC cert and had to use IP to get it back.
Actually you should not loose ISPC certs if they are symlinked to its fqdn LE certs, as disabling and saving LE box for mf1, supposedly, won't remove the LE certs or their symlinks at all, because it only deactivate LE SSL for its website on port 443, but not port 8080, unless you use your ISPConfig on port 443 with its hostname fqdn instead.
Maybe the smart move here would be to sym link only Dovecot certs with letsencrypt files? Though I have not noticed any problems with Postfix using the certs that come with the Alias domains.
I think the created LE certs via alias domains is considered SAN thus it should work with no problem.
