On 09/10/2020 14:02, Gerald Galster wrote:
I have to say I'm totally baffled since I do nothing when LetsEncrypt renews the certificate.
I know the cert has been updated because the mail clients asks me if I trust the certificate.
If it makes a difference I use the bash LetsEncrypt not the Python code. I don't like all those dependencies certbot (python) installs, but it works flawlessly on CentOS. On CentOS 8 you need to enable the EPEL *and* PowerTools repositories (/etc/yum/repos.d/...)
I've attached a small perl script that I call via cron 30 minutes after certbot starts which reloads services if necessary.
Best regards Gerald
#!/usr/bin/perl
my $reload;
open(FF, "find /etc/letsencrypt/live -mtime -1 -name cert.pem |"); while(<FF>){ chomp; next if !$_; $reload++; } close(FF);
if($reload){ system("/usr/bin/systemctl reload httpd"); system("/usr/bin/systemctl reload postfix"); system("/usr/bin/systemctl reload dovecot");
}
With certbot you can simply put a script in /etc/letsencrypt/renewal-hooks/deploy/:
# deploy-hook-script.sh
set -e
for domain in $RENEWED_DOMAINS; do case $domain in
domain.com ) chmod 600 "$RENEWED_LINEAGE/fullchain.pem" chmod 600 "$RENEWED_LINEAGE/privkey.pem" /usr/bin/systemctl reload dovecot /usr/bin/systemctl restart opensmtpd ;;
esac done