On Sat, Mar 23, 2024 at 01:57:39PM +0100, Matthias Nagel via Postfix-users
wrote:
> Also note, that the file which is configured in
> `smtpd_tls_chain_files` is only a symbolic link, e.g.
>
> # ls -lha /etc/letsencrypt/live/my-host.my-domain.tld:smtps/fullchain.pem
> lrwxrwxrwx 1 root root 51 11. Mar 21:44
> /etc/letsencrypt/live/my-host.my-domain.tld:smtps/fullchain.pem ->
> ../../archive/my-host.my-domain.tld:smtps/fullchain3.pem
Note that with `certbot`, the `fullchain.pem` file (its symlink target)
contains only the certificate chain, without the private key, which is
still in a separate file (the symlink target of): `privkey.pem`.
So you don't get atomicity from `certbot`. I don't consume `certbot`
files directly, rather I use:
https://github.com/tlsaware/danebot
Which works very well in steady-state. What's missing are features like
built-in support for changing the list of domains to be renewed, which
sadly requires low-level fiddling with "cerbot certonly --csr ...".
For example, I had recently needed to use:
# Create a private key and CSR with the desired names
...
# Obtain a new certificate
certbot certonly --webroot --cert-name $(uname -n) --csr csr.pem \
--cert-path $PWD/staging/$(uname -n)/newcert.pem \
--fullchain-path $PWD/staging/$(uname -n)/newfull.pem \
--chain-path $PWD/staging/$(uname -n)/newchain.pem
# Then integrate these files into the archive directory, making
# new symlinks, ...
This would ideally be automated, but requires tricky logic if it is to
support more than just --webroot, and even that requires a bit of extra
logic to specify the webroots correctly for existing and any new
domains.
Perhaps I should be looking to switch to one of the other ACME clients.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
