Hello,
if I am going to generate my own certs, is the I-MSCP logic also updating these "foreign" letsencrypt certs or do I have to run the letsencrypt certbot on my own?
LetsEncrypt - own certs
- UncleSam
- Thread is marked as Resolved.
-
So what you are doing step-by-step? As I understood:
- Generate self-signed certs for domain1.tld
- Activate LetsEncrypt for domain1.tld
If yes, self-signed certs (or other else will be replaced with new LetsEncrypt cert.
-
-
The LetsEncrypt plugin only handles the SSL certificates which are stored in i-MSCP database (SSL certificates which belong to customers). The LetsEncrypt plugin provides a cron job which is responsible to trigger renewal of SSL certificates but again, only SSL certificates that are stored in the i-MSCP database are renewed.
BTW: You have such questions.... We are logic in our way to develop plugins. We would not have any reason to touch an SSL cert which is not generated by the plugin...
-
-
Ok thx, than I add a cronjob to renew all daily
(Or maybe there is a switch to renew all in the future?
) -
NO, don't renew all! Just which are untouched by imscp. So you must not renew customer certificates..
-
-
Ok, I did the following (configured - not tested in long time period):
All my services (
postfix, dovecot, ftps,webmin, ...) have the same domain: srv.domain.tldTo get the cert:
- Create the subdomain called srv.domain.tld
- Request Letsencrypt cert using plugin
- This stores the cert into /etc/letsencrypt/live/srv.domain.tld/...
- I do not need it for the page, but the letsencrypt plugin is extending the license for me
- Use the original cert path (/etc/letsencrypt/live/srv.domain.tld/...) in your service config
- Configure a cronjob to restart the services
- The default renew period is 30 days before certs expire - so your service needs to be restarted every 30 days or more often
(If you do not restart inside this period there could be some days where the cached certs are invalid!) - To avoid invalid certs I configured a cronjob which starts on 1st and 15th eatch month to restart the services (some months have 31 days ... argh!)
( @Ninos is there a reason for 30 days or could it be 31 days too? If yes a restart once per month would be enought - thx for your help!)
- The default renew period is 30 days before certs expire - so your service needs to be restarted every 30 days or more often
- Done
Benefits:
- I do not need any custom calls / updates / ...
- Certs are up2date
Not so good:
- There is no need for this domain - so what to do with this unused domain
- You have to restart your services - but there is no way to not do this in order to refresh certs (in most cases)
Edit:
I am using I-MSCP default SSL functions for postfix, dovecot and ftp certs -
(@'Ninos' is there a reason for 30 days or could it be 31 days too? If yes a restart once per month would be enought - thx for your help!)
Jipp, without parameter --force-renew you can only renew certificates max 30 days before expiration
-
-
You can use cerbot hook to automatically restart services when needed. Service are only restarted if SSL certificate has been really renewed
An example that I use for our youtrack service:
Got it? Please have a look at the certbot documentation. Also, don't forget that i-MSCP LetsEncrypt plugin allows you to pass additional arguements to the certbot commands. See the /var/www/imscp/gui/plugins/LetsEncrypt/config.php file
-
