Add scripting for cert renewal with certbot
This commit is contained in:
parent
313e4af215
commit
a57b976788
11
README.md
11
README.md
@ -71,3 +71,14 @@ SMTP_PASSWORD=smtp_user-password
|
|||||||
```
|
```
|
||||||
|
|
||||||
7. Test the configuration by sending an email from the end service.
|
7. Test the configuration by sending an email from the end service.
|
||||||
|
|
||||||
|
## Renewing Certs
|
||||||
|
|
||||||
|
In order to set up certs to autorenew, you can use a cron job. Perform the following steps as the root user. Note that this requires a bind9 DNS server set up for dynamic updates with a `tsig.key` file. See our [bind9](https://gitea.moeny.ai/moeny/bind9) repo for more details on this.
|
||||||
|
|
||||||
|
1. Add the content of [renew-mail-certs.sh](renew-mail-certs.sh) at `/usr/local/bin/renew-mail-certs.sh`.
|
||||||
|
2. Add the contents of [dns-rfc2136.ini](dns-rfc2136.ini) at `/etc/letsencrypt/dns-rfc2136.ini`. Don't forget to update the file with your own values.
|
||||||
|
3. Run `crontab -e` and add the following to it:
|
||||||
|
```
|
||||||
|
0 2 1 * * /usr/local/bin/renew-mail-certs.sh
|
||||||
|
```
|
10
etc/letsencrypt/dns-rfc2136.ini
Normal file
10
etc/letsencrypt/dns-rfc2136.ini
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
# Target DNS server
|
||||||
|
dns_rfc2136_server = 100.40.223.166
|
||||||
|
# TSIG key name
|
||||||
|
dns_rfc2136_name = tsig-key
|
||||||
|
# TSIG key secret
|
||||||
|
dns_rfc2136_secret = your_secret_here
|
||||||
|
# TSIG key algorithm
|
||||||
|
dns_rfc2136_algorithm = HMAC-SHA256
|
||||||
|
# DNS zone to update
|
||||||
|
dns_rfc2136_zone = moeny.ai.
|
@ -15,11 +15,6 @@ smtp inet n - y - - smtpd
|
|||||||
spamassassin unix - n n - - pipe
|
spamassassin unix - n n - - pipe
|
||||||
user=spamd argv=/usr/bin/spamc -f -e
|
user=spamd argv=/usr/bin/spamc -f -e
|
||||||
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
|
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
|
||||||
submission inet n - y - - smtpd
|
|
||||||
smtps inet n - y - - smtpd
|
|
||||||
-o syslog_name=postfix/submission
|
|
||||||
-o smtpd_tls_security_level=encrypt
|
|
||||||
-o smtpd_sasl_auth_enable=yes
|
|
||||||
#smtp inet n - y - 1 postscreen
|
#smtp inet n - y - 1 postscreen
|
||||||
#smtpd pass - - y - - smtpd
|
#smtpd pass - - y - - smtpd
|
||||||
#dnsblog unix - - y - 0 dnsblog
|
#dnsblog unix - - y - 0 dnsblog
|
||||||
|
72
usr/local/bin/renew-mail-certs.sh
Normal file
72
usr/local/bin/renew-mail-certs.sh
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Script: /usr/local/bin/renew-mail-certs.sh
|
||||||
|
|
||||||
|
# Set up logging
|
||||||
|
LOG_FILE="/var/log/letsencrypt/renewal.log"
|
||||||
|
TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')
|
||||||
|
|
||||||
|
# Ensure log directory exists
|
||||||
|
mkdir -p "$(dirname "$LOG_FILE")"
|
||||||
|
|
||||||
|
log() {
|
||||||
|
echo "$TIMESTAMP - $1" >> "$LOG_FILE"
|
||||||
|
echo "$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Function to check if a service is active
|
||||||
|
check_service() {
|
||||||
|
if systemctl is-active --quiet "$1"; then
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Function to restart a service safely
|
||||||
|
restart_service() {
|
||||||
|
local service=$1
|
||||||
|
log "Attempting to restart $service..."
|
||||||
|
|
||||||
|
if ! check_service "$service"; then
|
||||||
|
log "WARNING: $service was not running before restart attempt"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if systemctl restart "$service"; then
|
||||||
|
if check_service "$service"; then
|
||||||
|
log "$service restarted successfully"
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
log "ERROR: $service failed to start after restart"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
log "ERROR: Failed to restart $service"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Main execution
|
||||||
|
log "Starting certificate renewal process"
|
||||||
|
|
||||||
|
# Attempt to renew certificates using RFC2136 (BIND9) DNS challenge
|
||||||
|
if CERTBOT_LOG_LEVEL=debug certbot renew --force-renewal --preferred-challenges dns --authenticator dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns-rfc2136.ini -v; then
|
||||||
|
log "Certificates were renewed successfully. Restarting services..."
|
||||||
|
|
||||||
|
# Restart Postfix
|
||||||
|
if ! restart_service postfix; then
|
||||||
|
log "CRITICAL: Postfix restart failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Restart Dovecot
|
||||||
|
if ! restart_service dovecot; then
|
||||||
|
log "CRITICAL: Dovecot restart failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
log "Service restart completed"
|
||||||
|
else
|
||||||
|
log "ERROR: Certificate renewal failed"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
log "Certificate renewal process completed"
|
Loading…
Reference in New Issue
Block a user