I suspect that it could be done either way. I have been using
--deploy-hook since I started using letsencrypt. I'll look at the
/etc/letsencrypt/renewal-hooks when I build my new server (soon, I hope).
On Tue, April 16, 2024 7:34 am, Eric Broch wrote:
> I thought William S. had mentioned something about a Let's Encrypt hook
> instead of a cron job. From what I've been reading, one's script simply
> goes in /etc/letsencrypt/renewal-hooks/{pre,post,deploy] or something like
> that, true? Then I suppose one calls certbot renew --deploy-hook or
> something like that. The documentation seemed sparse, anyway...
>
> Pipe in William if you have something.
>
>
>
> On Tue, Apr 16, 2024 at 6:33â¯AM Gary Bowling <g...@gbco.us> wrote:
>
>>
>> I'll help edit it if someone else that is currently going through it
>> wants
>> to start it. Maybe set up a google doc and give some people edit
>> access.
>> Or give read only access and we can drop comments/suggestions back here
>> for
>> someone to edit. It's been a long time since I set it up from scratch,
>> so
>> I'm a bit rusty on that.
>>
>>
>> It shouldn't be too hard to come up with something. I like to do
>> everything "standard" via the RH/Rocky way of doing it. That way dnf
>> updates work and I don't have as much maintenance. So I don't compile,
>> customize anything unless I'm forced to.
>>
>>
>> The only special part on my install is the script to "cat" the certs and
>> create a servercert.pem. Especially with your new updates, if it works
>> with
>> ECDSA certs, then no need for that custom rsa 2048 config part.
>>
>>
>> With that, it should just be installing httpd, certbot, and doing a
>> standard config for the server name. The only complication being if you
>> use
>> different names.. e.g. webmail.domain.com and mail.domain.com or
>> something. It's much simpler if you use the same name for both since
>> letsencrypt queries back to the dns name you set up on apache to
>> validate.
>> If you don't use the same name, you either have to set up a dummy
>> virtualhost in apache to do the challenge validation on that name, or
>> you
>> have to use another challenge method like DNS-01 to update your certs.
>> Toaster doc should probably have examples of both.
>>
>>
>> Here's a generic letsencrypt setup for Rocky 8/9 and apache. Needs some
>> tweaks to do the challenge verification back to your roundcube apache
>> virtualhost instead of the default /var/www/html/ query. Or if you have
>> separate names you can use the /var/www/html/ for the dummy virtualhost
>> to
>> get your mail server certs, but you'll still need another one for the
>> roundcube virtualhost.
>>
>>
>>
>> https://www.cyberciti.biz/faq/how-to-secure-apache-with-lets-encrypt-certificates-on-rhel-8/
>>
>>
>> Hope this helps.. Gary
>>
>>
>> On 4/15/2024 1:33 PM, Eric Broch wrote:
>>
>> Anyone feel like doing a write-up and I'll put it on the wiki?
>>
>> On 4/15/2024 11:18 AM, Gary Bowling wrote:
>>
>>
>>
>> Ah, right. Actually it looks like I can just place my script that I
>> currently run in my cron job in the /etc/letsencrypt/renewal-hooks/post/
>> directory and it will run as a "post renew" script.
>>
>>
>> Thanks for that.
>>
>> Gary
>>
>>
>> On 4/15/2024 1:04 PM, William Silverstein wrote:
>>
>> I would not use a cron script. I use --deploy-hook option on the
>> certbot-auto to handle it.
>>
>>
>> On Mon, April 15, 2024 9:59 am, Gary Bowling wrote:
>>
>> Great. One question. Seems like everything on my server uses
>> /var/qmail/control/servercert.pem for the cert. Dovecot and qmail
>> all use that file. And I have a cron job that runs once a month to
>> check for a new letsencrypt cert and if there is one it copies it
>> over to servercert.pem to update my mail server.
>>
>>
>>
>>
>>
>> Is that the correct way to handle that? Or is that something that
>> is
>> left over from my old server that I moved over?
>>
>>
>>
>>
>> Thanks, Gary
>>
>>
>>
>>
>> On 4/15/2024 12:44 PM, Eric Broch wrote:
>>
>>
>> Neither,
>>
>> /var/qmail/control/dh2048.pem
>> /var/qmail/control/rsa2048.pem
>>
>>
>> On 4/15/2024 10:33 AM, Gary Bowling wrote:
>>
>>
>>
>>
>>
>> Thanks, will still require rsa?
>>
>>
>>
>> On 4/15/2024 10:47 AM, Eric Broch wrote:
>>
>>
>> My next iteration on EL9 will remove keysize it's
>> deprecated,
>> has been for a while. Should have the new code out within
>> the
>> week.
>>
>> SSL_CTX_set_tmp_rsa_callback ÷ openssl/openssl ÷
>> Discussion #23769 (github.com)
>>
>>
>>
>> On 4/15/2024 6:25 AM, Gary Bowling wrote:
>>
>>
>>
>>
>>
>> Hey Jeff, glad you're making progress. Be aware that when
>> you get a new cert from Letsencrypt that the default now
>> retrieves an ECDSA cert. Which is fine for apache, but
>> doesn't work on qmail, or at least it didn't for me. To
>> fix
>> that you'll need to configure letsencrypt to give you an
>> RSA
>> 2048 cert.
>>
>>
>>
>>
>>
>> There are two ways to do that. If you want all your certs
>> to
>> be RSA 2048, you can add this to the
>> /etc/letsencrypt/cli.ini file.
>>
>> key-type = rsa
>> rsa-key-size = 2048
>>
>>
>>
>>
>> If you just want to do that for your keys you use in
>> qmail,
>> then you can put the above in the
>> /etc/letsencrypt/renewal/domain.conf file. Where "domain"
>> is
>> the name of the cert you're renewing. Certbot creates the
>> file so it should already be there.
>>
>>
>>
>>
>> Gary
>>
>>
>>
>>
>> On 4/14/2024 10:39 PM, Jeff Koch wrote:
>>
>> I may have resolved this. I
>> did
>> the Rocy9
>> distro install of apache and
>> copied the
>> mod_http2.so file over to our
>> install of apache. Seems
>> to work (no errors)
>> but I won't know for sure until
>> we setup Lets
>> Encrypt SSL certbot tomorrow
>>
>> Jeff
>>
>> On 4/14/2024 3:11 PM, Jeff Koch wrote:
>>
>>
>> Hi - we're setting up a new mailserver with Rocky 9
>> and
>> the learning curve is slow as is usual with
>> the first time with a new distro.
>>
>> Anyway because our various scripts look for apache at
>> /usr/local/apache/ we've decided to compile
>> our own binary with the latest apache and
>> have run into trouble / errors related to
>> 'nghttp2'.
>>
>> We did download, compile and install the latest
>> nghttp2-1.61.0 from github. The configure and make
>> went well and http1.1 works but apache
>> generates the following error when we
>> activateà mod_http2
>>
>> Ã (Cannot load modules/mod_http2.so into server:
>> /usr/local/apache2/modules/mod_http2.so: undefined
>> symbol:
>> nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation)
>>
>> If anyone on the list has compiled their own httpd
>> 2.4.59 with Rocky 9 would you mind sharing the
>> details ?
>>
>> Thanks, Jeff Koch
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail:
>> qmailtoaster-list-h...@qmailtoaster.com
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> qmailtoaster-list-unsubscr...@qmailtoaster.com For
>> additional commands, e-mail:
>> qmailtoaster-list-h...@qmailtoaster.com
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> qmailtoaster-list-unsubscr...@qmailtoaster.com For
>> additional commands, e-mail:
>> qmailtoaster-list-h...@qmailtoaster.com
>>
>> --------------------------------------------------------------------- To
>> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For
>> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>
>> --------------------------------------------------------------------- To
>> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For
>> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>
--
William G. Silverstein, Esq.
Litigation Counsel
Licensed in California.
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
