> Note that with `certbot`, the `fullchain.pem` file [...] > contains only the certificate chain, without the private key [...]. > > So you don't get atomicity from `certbot`.
I know. I just opened a feature request: https://github.com/certbot/certbot/issues/9915 Am Samstag, 23. März 2024, 16:25:47 CET schrieb Viktor Dukhovni via Postfix-users: > On Sat, Mar 23, 2024 at 01:57:39PM +0100, Matthias Nagel via Postfix-users > wrote: > > > Also note, that the file which is configured in > > `smtpd_tls_chain_files` is only a symbolic link, e.g. > > > > # ls -lha /etc/letsencrypt/live/my-host.my-domain.tld:smtps/fullchain.pem > > lrwxrwxrwx 1 root root 51 11. Mar 21:44 > > /etc/letsencrypt/live/my-host.my-domain.tld:smtps/fullchain.pem -> > > ../../archive/my-host.my-domain.tld:smtps/fullchain3.pem > > Note that with `certbot`, the `fullchain.pem` file (its symlink target) > contains only the certificate chain, without the private key, which is > still in a separate file (the symlink target of): `privkey.pem`. > > So you don't get atomicity from `certbot`. I don't consume `certbot` > files directly, rather I use: > > https://github.com/tlsaware/danebot > > Which works very well in steady-state. What's missing are features like > built-in support for changing the list of domains to be renewed, which > sadly requires low-level fiddling with "cerbot certonly --csr ...". > > For example, I had recently needed to use: > > # Create a private key and CSR with the desired names > ... > > # Obtain a new certificate > certbot certonly --webroot --cert-name $(uname -n) --csr csr.pem \ > --cert-path $PWD/staging/$(uname -n)/newcert.pem \ > --fullchain-path $PWD/staging/$(uname -n)/newfull.pem \ > --chain-path $PWD/staging/$(uname -n)/newchain.pem > > # Then integrate these files into the archive directory, making > # new symlinks, ... > > This would ideally be automated, but requires tricky logic if it is to > support more than just --webroot, and even that requires a bit of extra > logic to specify the webroots correctly for existing and any new > domains. > > Perhaps I should be looking to switch to one of the other ACME clients. > > -- Matthias Nagel Dachtlerstr. 2, 40499 Stuttgart, Deutschland Festnetz: +49-711-25295180, Mobil: +49-151-15998774 E-Mail: matthias.na...@mhnnet.de, Threema: 86VM8KN7 _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
