From a57b976788c64f158b105221c826c48bd8e62f24 Mon Sep 17 00:00:00 2001 From: moeny-matt Date: Thu, 17 Apr 2025 16:51:25 -0400 Subject: [PATCH] Add scripting for cert renewal with certbot --- README.md | 13 +++++- etc/letsencrypt/dns-rfc2136.ini | 10 +++++ etc/postfix/master.cf | 5 --- usr/local/bin/renew-mail-certs.sh | 72 +++++++++++++++++++++++++++++++ 4 files changed, 94 insertions(+), 6 deletions(-) create mode 100644 etc/letsencrypt/dns-rfc2136.ini create mode 100644 usr/local/bin/renew-mail-certs.sh diff --git a/README.md b/README.md index 92c0148..e875a20 100644 --- a/README.md +++ b/README.md @@ -70,4 +70,15 @@ SMTP_EMAIL=service@moeny.ai SMTP_PASSWORD=smtp_user-password ``` -7. Test the configuration by sending an email from the end service. \ No newline at end of file +7. Test the configuration by sending an email from the end service. + +## Renewing Certs + +In order to set up certs to autorenew, you can use a cron job. Perform the following steps as the root user. Note that this requires a bind9 DNS server set up for dynamic updates with a `tsig.key` file. See our [bind9](https://gitea.moeny.ai/moeny/bind9) repo for more details on this. + +1. Add the content of [renew-mail-certs.sh](renew-mail-certs.sh) at `/usr/local/bin/renew-mail-certs.sh`. +2. Add the contents of [dns-rfc2136.ini](dns-rfc2136.ini) at `/etc/letsencrypt/dns-rfc2136.ini`. Don't forget to update the file with your own values. +3. Run `crontab -e` and add the following to it: +``` +0 2 1 * * /usr/local/bin/renew-mail-certs.sh +``` \ No newline at end of file diff --git a/etc/letsencrypt/dns-rfc2136.ini b/etc/letsencrypt/dns-rfc2136.ini new file mode 100644 index 0000000..46ef8ea --- /dev/null +++ b/etc/letsencrypt/dns-rfc2136.ini @@ -0,0 +1,10 @@ +# Target DNS server +dns_rfc2136_server = 100.40.223.166 +# TSIG key name +dns_rfc2136_name = tsig-key +# TSIG key secret +dns_rfc2136_secret = your_secret_here +# TSIG key algorithm +dns_rfc2136_algorithm = HMAC-SHA256 +# DNS zone to update +dns_rfc2136_zone = moeny.ai. \ No newline at end of file diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf index a3d2c32..69f368f 100644 --- a/etc/postfix/master.cf +++ b/etc/postfix/master.cf @@ -15,11 +15,6 @@ smtp inet n - y - - smtpd spamassassin unix - n n - - pipe user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} -submission inet n - y - - smtpd -smtps inet n - y - - smtpd - -o syslog_name=postfix/submission - -o smtpd_tls_security_level=encrypt - -o smtpd_sasl_auth_enable=yes #smtp inet n - y - 1 postscreen #smtpd pass - - y - - smtpd #dnsblog unix - - y - 0 dnsblog diff --git a/usr/local/bin/renew-mail-certs.sh b/usr/local/bin/renew-mail-certs.sh new file mode 100644 index 0000000..ed9f703 --- /dev/null +++ b/usr/local/bin/renew-mail-certs.sh @@ -0,0 +1,72 @@ +#!/bin/bash + +# Script: /usr/local/bin/renew-mail-certs.sh + +# Set up logging +LOG_FILE="/var/log/letsencrypt/renewal.log" +TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S') + +# Ensure log directory exists +mkdir -p "$(dirname "$LOG_FILE")" + +log() { + echo "$TIMESTAMP - $1" >> "$LOG_FILE" + echo "$1" +} + +# Function to check if a service is active +check_service() { + if systemctl is-active --quiet "$1"; then + return 0 + else + return 1 + fi +} + +# Function to restart a service safely +restart_service() { + local service=$1 + log "Attempting to restart $service..." + + if ! check_service "$service"; then + log "WARNING: $service was not running before restart attempt" + fi + + if systemctl restart "$service"; then + if check_service "$service"; then + log "$service restarted successfully" + return 0 + else + log "ERROR: $service failed to start after restart" + return 1 + fi + else + log "ERROR: Failed to restart $service" + return 1 + fi +} + +# Main execution +log "Starting certificate renewal process" + +# Attempt to renew certificates using RFC2136 (BIND9) DNS challenge +if CERTBOT_LOG_LEVEL=debug certbot renew --force-renewal --preferred-challenges dns --authenticator dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns-rfc2136.ini -v; then + log "Certificates were renewed successfully. Restarting services..." + + # Restart Postfix + if ! restart_service postfix; then + log "CRITICAL: Postfix restart failed" + fi + + # Restart Dovecot + if ! restart_service dovecot; then + log "CRITICAL: Dovecot restart failed" + fi + + log "Service restart completed" +else + log "ERROR: Certificate renewal failed" + exit 1 +fi + +log "Certificate renewal process completed" \ No newline at end of file