My server is setup according to the perfect server guide with ISPconfig debian apache postfix dovecot. DNS is done externally. In my setup a dedicated domain handles all provided services via subdomains. For mail services it uses mx.domain.com, imap.domain.com and smtp.domain.com. To provide SSL for the mail services I have created subdomains in ISPconfig and included them in the main domain's letsencrypt-certificate. I didn't want to have a wildcard-certificate for these services. The server certificate and key in /var/www/domain.com/ssl/ are symlinked to /etc/dovecot/private/dovecot.key and -.pem for dovecot and /etc/postfix/smtpd.cert and -.key for postfix. The problem was that upon certificate renewal dovecot and postfix needed to be restarted manually in order to deliver the renewed certificate. Is there a way build into ISPconfig that allows you to restart selected services if the le-certificate is renewed? I have tried to restart dovecot and postfix with a cronjob but it didn't hit the sweet spot. I had to restart them manually nevertheless. Since ISPconfig uses acme.sh to handle letsencrypt-certificates I found out that there is a parameter --reloadcmd in the acme.sh script which tells the script what other comands to invoke after renewing the certificate. Seeing this I've tried to modify the domain configuration for the acme.sh script, i.e. changing the --reloadcmd parameter to include reloading postfix and dovecot. Using Code: /root/.acme.sh/acme.sh --home "/root/.acme.sh" --info -d domain.com you can see that by default Le_ReloadCmd is set to "systemctl force-reload apache2.service" Unfortunately the parameter in the domain's conf-file (/root/acme.sh/domain.com/domain.com.conf) is BASE64 encoded. You can't simply type in new commands. If you install the certificate manually you can extend this parameter. I did this with the following command: Code: /root/.acme.sh/acme.sh --home "/root/.acme.sh" --install-cert -d domain.com --key-file "/var/www/clients/client1/web1/ssl/domain.com-le.key" --fullchain-file "/var/www/clients/client1/web1/ssl/domain.com-le.crt" --reloadcmd "systemctl force-reload apache2.service;systemctl reload postfix;systemctl reload dovecot" According to a post in the letsencrypt it should be possible to use multiple commands in the parameter --reloadcmd this way. Looking at the files in /root/.acme.sh/domain.com/ this only updated the file domain.com.conf Now my question: I assume that changing things for this domain in ISPconfig e.g. adding a new subdomain will revert these changes. But will ISPconfig still be able to manage LE-certificates for this domain? Will this be persistent or will an update on any other domain controlled by ISPconfig revert these changes?
See here for how to set this up properly: https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/
