I did some script used to renew ssl cert attached to Monit (and another services) from @ahrasis Securing ISP tutorial: Code: #!/bin/bash #This script is developed for renewing cert used by Monit and other applications, #which will have provided Let's Encrypt certs #add to cronjob i.e. each midnight #useful converter https://www.epochconverter.com/ #epoch format of the cert file cert="/etc/letsencrypt/live/s1.poliman.net/cert.pem" expire_date=$(openssl x509 -enddate -noout -in $cert | awk -F'=' '{print $2}') epoch_expire_date=$(date -d "$expire_date" +%s) #get current date of ispserver.pem and convert to epoch format isppem="/usr/local/ispconfig/interface/ssl/ispserver.pem" ispcrt_date_current=$(stat -c "%y" $isppem) epoch_ispcrt_current=$(date -d "$ispcrt_date_current" +%s) cd /usr/local/ispconfig/interface/ssl if [ $epoch_expire_date -gt $epoch_ispcrt_current ] then if [ -f "ispserver.pem" ] then #remove older ispserver.pem files and create the newest copy rm ispserver.pem-*.bak mv ispserver.pem ispserver.pem-$(date +"%y-%m-%d-%H:%M:%S").bak fi #create new ispserver.pem file and set right permissions cat ispserver.{key,crt} > ispserver.pem chmod 600 ispserver.pem #restarting required services, add more if you use more services with specific cert service monit restart #logging events to file in path /usr/local/ispconfig/interface/ssl echo "$(date +%y-%m-%d-%H:%M:%S) File ispserver.pem changed, so script refresh it and restarted services." >> log_file.log else #log_file.log will be created in path /usr/local/ispconfig/interface/ssl echo "$(date +%y-%m-%d-%H:%M:%S) Script thinks that certificate files are not renewed, so we don't have to refresh ispserver.pem." >> log_file.log fi
For Monit, reloading is enough. Also refreshing the other 2: systemctl reload monit.service systemctl reload postfix.service systemctl restart pure-ftpd-mysql.service
Not sure what you mean by "refreshing' but normally we restart nginx or apache for a web server to ensure new certs are applied, just like monit in your script. Unfortunately, you did not describe how you secure monit at the first place, leaving readers in the dark on how that suppose to "refresh" the new certs for monit. If you followed my tips, then you must know that not only it is set to use pure-ftpd.pem i.e. symlinks to ispconfig.pem but it will also need to be chmod 600 on its own, i.e. even after you have chmod ispconfig.pem to 600. At least that how it works in my tutorial.
Where should I describe it? Do you mean I should add chmod 600 also for symlinked .pem file used for specific services like Monit, Pure-ftpd etc?
I guess your program works because Letsencrypt will reload apache after it has renewed the SSL certificate. We only renew those services which have not been restarted.
Yes, exactly as you said. I only use monit, so I only restart monit service. Of course somebody can add more. Each line has own comment.
