Debian GNU/Linux 10.13 certbot 0.31.0-1+deb10u1 ISPConfig 3.2.9 It looks to me services like dovecot and postfix are not restarted when server LE certificate is renewed. Today host had uptime 70 days, and e-mail clients showed certificate had expired. There was new certificate, with 60 days left before expiry. I restarted dovecot and postfix, then e-mail clients stopped complaining about expired certificate. This may have been going on forever, I seldom have long uptime. Now no installed updates required reboot, so host stayed up (I relied on unattended-upgrades).
It depends on how this cert was created. If it was created by the ISPConfig installer, then the services will get (or at least should get) restarted automatically by certbot. If the SSL cert for these services is created by using an SSL cert from a website in ISPConfig, which is then symlinked, then services do not get restarted.
Have you changed your certbot from the one installed via apt to the one via snap already? I'd suggest you do if you haven't done it yet. https://certbot.eff.org/instructions?ws=apache&os=debianbuster
No, certbot from stock debian repo. I plan to upgrade from Debian 10 to 11 soon, then certbot gets updated also.
How did you set up the certs for Dovecot and Postfix? Like Till said, the services won't restart if you symlinked them to a website cert. A separate script is necessary in that case.
If you installed the LE certs properly i.e. via ISPConfig install / update, which I expect @Taleman would, I'd checked the renewal conf which should have the link to the script which should never fail since it is run on hook basis i.e. if the certs are renewed, the script will run, thus all services will be restarted as well. I'd also check the log if there is any record complaining anything about the script. I also think certbot installed via is no longer working properly since there were several complaints about renewal failure but this is the first time i heard about its failure to restart services via the ISPConfig hook script, if that is true. In any event, I no longer use apt and remove certbot installed by it since official certbot site recommended it to be installed via snapd, so that's why I asked about it earlier.
