I upgraded Postfix and Dovecot (with apt) and during the upgrade both certificate location definitions in both configs were reset to defaults which is /etc/postfix/smtpd.cert & smtpd.key. This of course caused TLS cert change errors with clients until I changed cert configs back to correct lets-encrypt paths. I think it's also a good idea to sym-link those two files but since Dovecot also resets to point to /etc/postfix/smtpd.cert I think we might need to make it's config immutable? Any ideas?
Do not change the paths in the files, instead change the ssl certs on the original paths or replace them with symlinks to a cert.
I would agree, I have symlinks from the /etc/postfix/smtpd.cert and smtpd.key to the /etc/letsencrypt/live/domain/fullchain.pem and privacy.pem ;-) that way upgrades don't break the certificates
It would be simpler to just use smtp.domain.com cert rather than both smtp. & imap. certs because for some reason Dovecot automatically resets the cert path in it's conf file back to default postfix smtp cert path every time Dovecot is updated. I have prevented this with chattr +i /etc/dovecot/dovecot.conf
You’ll need to be the root user for these commands to work, otherwise, prefix them with sudo. 1. Install git 2. Download LetsEncrypt and change directory 3. By default LetsEncrypt wants to operate on port 80 which will probably conflict with Apache so instead, we set up mod_proxy and mod_proxy_http so LetsEncrypt can be proxied via another port (in this example I’ll use 9999). 4. Edit proxy.conf 5. Add this to the file, if the <IfModule mod_proxy.c>…</IfModule> tags already exist you can re-use them 6. Restart Apache again 7. Generate the LetsEncrypt certificates for your domain (change example.com to your domain name) 8. You should now have some nice new certificates 9. In ISPConfig go to: Websites -> example.com -> Domain Check the SSL checkbox and Save 10. In ISPConfig go to: Websites -> example.com -> SSL Enter values in the State, Locality, Organisation, Organisation Unit, Country fields and then at the bottom of the page under SSL Action select Create Certificate and click Save. 11. You might have to wait a minute for ISPConfig 12. The next step is to remove the ISPConfig certs and add the symlinks 13. Finally restart Apache again 14. According to the docs: “The letsencrypt tool will keep track of certificate expiration and renew certificates automatically by default.” but I can’t see anything new in cron.daily or cron.hourly and looking at the user guide it says “Let’s Encrypt is working hard on automating the renewal process. Until the tool is ready, we are sorry for the inconvenience!” Also, while the service is in beta testing they recommend renewing the certificates before they expire (normally after 90 days). So in order to prompt a renewal you can run the same command again.
@Sarah Bishop ISPC 3.1 and newer has automated Let's Encrypt support for websites integrated. No need to go through those hoops.
Yes. Please ignore Sarah's well meaning post. It just confuses issue. My first post on this thread is still valid.
I posted a new thread that touches this one on https://www.howtoforge.com/community/threads/perfect-server-multi-certs-for-dovecot-postfix.78797/ I think this post is getting a bit stale since even the topic should now be "with Certbot".
