Posts by UncleSam

Thx for the info, I try your second solution the next days and give a feedback (and hopefuly a short howto for all letsencrypt users )

Sry to ask again:
My services certs (postfix, dovecot, proftpd, imscp) expire in 3 month. I-MSCPVersion 1.3.0 was released about 14 days ago and for automatically service renewal there has to be the new version 1.4.0 - I do not know your release plan but I think 3 months is a little bit too less time to get the new version.

So I wanted to generate a "workaround" till there is a new version of I-MSCP and the letsencrypt plugin.

My idea is:

• Let the plugin generate and renew my certs (see LetsEncrypt - own certs)
• Generate the needed pem files
  
  
  • Postfix & Dovecot use one
  • Proftpd
  • I-MSCP
• Overwrite the generated pem files with the current pem files
• Restart the services

But there is one thing I am not able to do:
I have no idea what to do with the letsencrypt certs to get the pem files you need for all the services. Can someone help me to generate them?

Ah ok, thx for the info.

Ok, I did the following (configured - not tested in long time period):

All my services (postfix, dovecot, ftps, webmin, ...) have the same domain: srv.domain.tld

To get the cert:

• Create the subdomain called srv.domain.tld
• Request Letsencrypt cert using plugin
  
  
  • This stores the cert into /etc/letsencrypt/live/srv.domain.tld/...
  • I do not need it for the page, but the letsencrypt plugin is extending the license for me
• Use the original cert path (/etc/letsencrypt/live/srv.domain.tld/...) in your service config
• Configure a cronjob to restart the services
  
  
  • The default renew period is 30 days before certs expire - so your service needs to be restarted every 30 days or more often
    (If you do not restart inside this period there could be some days where the cached certs are invalid!)
  • To avoid invalid certs I configured a cronjob which starts on 1st and 15th eatch month to restart the services (some months have 31 days ... argh!)
    ( @Ninos is there a reason for 30 days or could it be 31 days too? If yes a restart once per month would be enought - thx for your help!)
• Done

Benefits:

• I do not need any custom calls / updates / ...
• Certs are up2date

Not so good:

• There is no need for this domain - so what to do with this unused domain
• You have to restart your services - but there is no way to not do this in order to refresh certs (in most cases)

Edit:
I am using I-MSCP default SSL functions for postfix, dovecot and ftp certs

Ok thx, than I add a cronjob to renew all daily
(Or maybe there is a switch to renew all in the future? )

ah ok, i thought there is a need of resolvconf to use /etc/resolv.conf. But after uninstalling resolvconf the file is empty. Maybe you can add a default dns server likt googles 8.8.8.8 if it is empty (that it is possible to go on).

I am using certbot-auto with "certonly" option. This is generating new letsencrypt certs inside the /etc/letsencrypt/... folder. Inside this folder there are already all certs the I-MSCP plugin generated.

Normally I could call the certbot-auto tool with parameter "renew" - this is going to check each cert and renew it if neccessary.

My question is: Do I have to run it with "renew" command or is this already done by the plugin? (Or only done by the plugin for own certs?!?)

(Currently I generated a letsencrypt cert for my webmin panel and for the imscp services.)

Is this really the best solution? Because if you uninstall resolvconf there is no longer a dns support, isn't it?

Hello,

After doing a complete fresh install I added the roundcube plugin. Before activating it I opened the config.php file and set sievei to "yes". This was not working. So I reconfigured it to "no", and again to "yes" -> this worked.

Maybe there is a bug on new installations if someone enables sieve?!?

Hello,

if I am going to generate my own certs, is the I-MSCP logic also updating these "foreign" letsencrypt certs or do I have to run the letsencrypt certbot on my own?