On Wed, Aug 18, 2021 at 11:04:10AM +0200, Marcel de Riedmatten <m...@dotforge.ch> wrote:
> Le mercredi 18 août 2021 à 17:45 +1000, raf a écrit : > > > > I'll need to find out how to replace one certificate > > with the other as well. > > Keep in mind that both certificates will have a different path. It goes > so: > > 1) create the new certificate > 2) add a TLSA record to the zone for the new key and wait > (distribution, caching and margin ) > 3) edit smtpd_tls_cert_file to point to the new certificate and reload > 4) check everything is ok > 5) revoke old certificate and clean up old TLSA record > > Still theory for me but what do you think ? > > -- > Marcel de Riedmatten Thanks. At stage 3, you also need to get the webserver etc. to switch from using one key to its duplicate. And revoking the certificate probably isn't needed. It's a very promising lead. I think I can see a way to use --duplicate to set up a pair of online/offline certificates that usually both renew automatically with --reuse-key, but occasionally/annually the offline certificate gets a new key (by temporarily overriding the remembered --reuse-key), and then publish a new TLSA record for it (one per port), and then some TTLs later, switch their roles over by changing a symlink, and reloading the webserver if it needs it (and dovecot), and then some TTLs later, remove the old TLSA record(s). I think I could automate that for my needs. But I don't know yet how to temporarily override the --reuse-key equivalent (reuse_key = True) that gets put in the config file when you use --reuse-key. Ideally, it would be something like --no-reuse-key with --disable-renew-updates but I can't see --no-reuse-key documented. I'll ask about that on the LetsEncrypt community forum. cheers, raf
