Hi Aki,
it doesn't happen very often but the certificate renew can fail, so it's best to check daily. certbot will only try to renew those certificates that are about to expire in a few weeks.
I'm using a little perl script via cron which may be more flexible:
#!/usr/bin/perl
my $reload_count;
open(FF, "find /etc/letsencrypt/live -mtime -1 -name cert.pem |"); while(<FF>){ chomp; next if !$_; system("/usr/bin/logger \"sslreload: ssl certificate $_ needs reload after renew\""); $reload_count++; } close(FF);
if($reload_count){ system("/usr/bin/logger \"sslreload: $reload_count certificates changed, reloading services\""); # list all your affected services or rsync/reload on other nodes # some services need restart, not reload system("/usr/bin/systemctl reload httpd"); system("/usr/bin/systemctl reload postfix"); system("/usr/bin/systemctl restart vsftpd"); } else { system("/usr/bin/logger \"sslreload: nothing to reload\""); }
Save to /usr/bin/sslreload and chmod 700
crontab -e
0 18 * * * /usr/bin/certbot renew --quiet --no-self-upgrade --allow-subset-of-names; /usr/bin/sslreload
Best regards Gerald
Am 10.01.2019 um 09:14 schrieb Aki Tuomi <aki.tuomi@open-xchange.com>:
Would be better if it would happen automatically though.
Aki
On 10.1.2019 10.04, Filipe Carvalho wrote:
Yup, that did the trick.
Thanks!
Filipe
On 1/10/19 7:47 AM, Aki Tuomi wrote:
On 10.1.2019 9.42, Filipe Carvalho wrote:
Hello,
Not sure if this is the right place to post this, but the ssl certificate of the repo.dovecot.org server expired on the 9th of January.
It's giving an error via the browser and via the apt command in Debian:
W: Failed to fetch https://repo.dovecot.org/ce-2.3-latest/debian/jessie/dists/jessie/main/binar... server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Cheers!
Filipe Carvalho
-- <pnhmgoiocebmonnh.png> Filipe Carvalho Infraestruturas Tecnológicas / IT infrastructures
filipec@uporto.pt
Amazing this certbot thing...
[Unit] Description=Certbot Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html Documentation=https://letsencrypt.readthedocs.io/en/latest/ [Service] Type=oneshot ExecStart=/usr/bin/certbot -q renew --post-hook /etc/letsencrypt/post.hooks.d/reload PrivateTmp=true
one would think this would work and reload nginx after the cert has been renewed...
Aki