I just noticed the LE certificate postfix and dovecot use is not renewed. Host with Debian 12 and ISPConfig latest was installed 10th February, and the certificate created then expired today. Host certificate is renewed, it still has 59 days left. I think this is because host has website named hostname -f. That has not caused problems before on the old hosts, this new host must be somehow different. Actually, now I remember the old host used certbot, this has acme.sh. Should I link the smtpd.{cert|key} files in /etc/postfix to the /root/.acme.sh/ ... files for the website? Going to URL hostname -f works with SSL, and browser shows certificate was renewed 10th April. Or someway other fix the links to point to correct certificate files?
There may be something else going on: Code: root@posti:/etc/postfix# ls -lh /usr/local/ispconfig/interface/ssl/ total 48K drwxr-x--- 2 root root 4.0K Feb 10 13:06 . drwxr-x--- 9 ispconfig ispconfig 4.0K Dec 20 21:47 .. -rwxr-x--- 1 root root 768 Feb 10 13:07 dhparam4096.pem -rwxr-x--- 1 root root 45 Feb 10 13:07 empty.dir -rwxr-x--- 1 root root 3.9K Feb 10 13:06 ispserver.crt -rwxr-x--- 1 root root 2.0K Feb 10 13:06 ispserver.crt-20240210110647.bak -rwxr-x--- 1 root root 3.2K Feb 10 13:06 ispserver.key -rwxr-x--- 1 root root 3.2K Feb 10 13:06 ispserver.key-20240210110647.bak -rwxr-x--- 1 root root 7.1K Feb 10 13:06 ispserver.pem -rwxr-x--- 1 root root 5.2K Feb 10 13:06 ispserver.pem-20240210110647.bak root@posti:/etc/postfix# So those are not renewed. I tried ispconfig_update.sh --force, and answered yes Code: Create new ISPConfig SSL certificate (yes,no) [no]: yes Now I got new files there: Code: root@posti:~# ls -lh /usr/local/ispconfig/interface/ssl/ total 64K drwxr-x--- 2 root root 4.0K May 10 13:55 . drwxr-x--- 9 ispconfig ispconfig 4.0K Dec 20 21:47 .. -rwxr-x--- 1 root root 768 May 10 13:55 dhparam4096.pem -rwxr-x--- 1 root root 45 May 10 13:55 empty.dir -rwxr-x--- 1 root root 3.9K May 10 13:55 ispserver.crt -rwxr-x--- 1 root root 2.0K Feb 10 13:06 ispserver.crt-20240210110647.bak -rwxr-x--- 1 root root 3.9K May 10 13:55 ispserver.crt-20240510105502.bak -rwxr-x--- 1 root root 3.2K May 10 13:55 ispserver.key -rwxr-x--- 1 root root 3.2K Feb 10 13:06 ispserver.key-20240210110647.bak -rwxr-x--- 1 root root 3.2K May 10 13:55 ispserver.key-20240510105502.bak -rwxr-x--- 1 root root 7.1K May 10 13:55 ispserver.pem -rwxr-x--- 1 root root 5.2K Feb 10 13:06 ispserver.pem-20240210110647.bak -rwxr-x--- 1 root root 7.1K May 10 13:55 ispserver.pem-20240510105502.bak root@posti:~# Now postfix and dovecot use this new certificate. What is misconfigured since cert is not renewed automatically?
Yes, that's the reason. acme.sh and certbot works differently in this regard. acme.sh installs the cert into the final location itself. by creating a site with the system hostname, you changed the cert location from ISPConfigs SSL cert folder to the websites SSL cert folder, so the ispconfig cert can not be updated anymore. Yes, you can find the required commands for that here: https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/