On 09/10/2020 14:02, Gerald Galster wrote:
I have to say I'm totally baffled since I do nothing when LetsEncrypt renews
the certificate.
I know the cert has been updated because the mail clients asks me if I trust
the certificate.
If it makes a difference I use the bash LetsEncrypt not the Python code.
I don't like all those dependencies certbot (python) installs, but it works
flawlessly on CentOS.
On CentOS 8 you need to enable the EPEL *and* PowerTools repositories
(/etc/yum/repos.d/...)
I've attached a small perl script that I call via cron 30 minutes after certbot
starts which reloads services if necessary.
Best regards
Gerald
#!/usr/bin/perl
my $reload;
open(FF, "find /etc/letsencrypt/live -mtime -1 -name cert.pem |");
while(<FF>){
chomp;
next if !$_;
$reload++;
}
close(FF);
if($reload){
system("/usr/bin/systemctl reload httpd");
system("/usr/bin/systemctl reload postfix");
system("/usr/bin/systemctl reload dovecot");
}
With certbot you can simply put a script in
/etc/letsencrypt/renewal-hooks/deploy/:
# deploy-hook-script.sh
set -e
for domain in $RENEWED_DOMAINS; do
case $domain in
domain.com )
chmod 600 "$RENEWED_LINEAGE/fullchain.pem"
chmod 600 "$RENEWED_LINEAGE/privkey.pem"
/usr/bin/systemctl reload dovecot
/usr/bin/systemctl restart opensmtpd
;;
esac
done
