I suspect that it could be done either way. I have been using --deploy-hook since I started using letsencrypt. I'll look at the /etc/letsencrypt/renewal-hooks when I build my new server (soon, I hope).
On Tue, April 16, 2024 7:34 am, Eric Broch wrote: > I thought William S. had mentioned something about a Let's Encrypt hook > instead of a cron job. From what I've been reading, one's script simply > goes in /etc/letsencrypt/renewal-hooks/{pre,post,deploy] or something like > that, true? Then I suppose one calls certbot renew --deploy-hook or > something like that. The documentation seemed sparse, anyway... > > Pipe in William if you have something. > > > > On Tue, Apr 16, 2024 at 6:33â¯AM Gary Bowling <g...@gbco.us> wrote: > >> >> I'll help edit it if someone else that is currently going through it >> wants >> to start it. Maybe set up a google doc and give some people edit >> access. >> Or give read only access and we can drop comments/suggestions back here >> for >> someone to edit. It's been a long time since I set it up from scratch, >> so >> I'm a bit rusty on that. >> >> >> It shouldn't be too hard to come up with something. I like to do >> everything "standard" via the RH/Rocky way of doing it. That way dnf >> updates work and I don't have as much maintenance. So I don't compile, >> customize anything unless I'm forced to. >> >> >> The only special part on my install is the script to "cat" the certs and >> create a servercert.pem. Especially with your new updates, if it works >> with >> ECDSA certs, then no need for that custom rsa 2048 config part. >> >> >> With that, it should just be installing httpd, certbot, and doing a >> standard config for the server name. The only complication being if you >> use >> different names.. e.g. webmail.domain.com and mail.domain.com or >> something. It's much simpler if you use the same name for both since >> letsencrypt queries back to the dns name you set up on apache to >> validate. >> If you don't use the same name, you either have to set up a dummy >> virtualhost in apache to do the challenge validation on that name, or >> you >> have to use another challenge method like DNS-01 to update your certs. >> Toaster doc should probably have examples of both. >> >> >> Here's a generic letsencrypt setup for Rocky 8/9 and apache. Needs some >> tweaks to do the challenge verification back to your roundcube apache >> virtualhost instead of the default /var/www/html/ query. Or if you have >> separate names you can use the /var/www/html/ for the dummy virtualhost >> to >> get your mail server certs, but you'll still need another one for the >> roundcube virtualhost. >> >> >> >> https://www.cyberciti.biz/faq/how-to-secure-apache-with-lets-encrypt-certificates-on-rhel-8/ >> >> >> Hope this helps.. Gary >> >> >> On 4/15/2024 1:33 PM, Eric Broch wrote: >> >> Anyone feel like doing a write-up and I'll put it on the wiki? >> >> On 4/15/2024 11:18 AM, Gary Bowling wrote: >> >> >> >> Ah, right. Actually it looks like I can just place my script that I >> currently run in my cron job in the /etc/letsencrypt/renewal-hooks/post/ >> directory and it will run as a "post renew" script. >> >> >> Thanks for that. >> >> Gary >> >> >> On 4/15/2024 1:04 PM, William Silverstein wrote: >> >> I would not use a cron script. I use --deploy-hook option on the >> certbot-auto to handle it. >> >> >> On Mon, April 15, 2024 9:59 am, Gary Bowling wrote: >> >> Great. One question. Seems like everything on my server uses >> /var/qmail/control/servercert.pem for the cert. Dovecot and qmail >> all use that file. And I have a cron job that runs once a month to >> check for a new letsencrypt cert and if there is one it copies it >> over to servercert.pem to update my mail server. >> >> >> >> >> >> Is that the correct way to handle that? Or is that something that >> is >> left over from my old server that I moved over? >> >> >> >> >> Thanks, Gary >> >> >> >> >> On 4/15/2024 12:44 PM, Eric Broch wrote: >> >> >> Neither, >> >> /var/qmail/control/dh2048.pem >> /var/qmail/control/rsa2048.pem >> >> >> On 4/15/2024 10:33 AM, Gary Bowling wrote: >> >> >> >> >> >> Thanks, will still require rsa? >> >> >> >> On 4/15/2024 10:47 AM, Eric Broch wrote: >> >> >> My next iteration on EL9 will remove keysize it's >> deprecated, >> has been for a while. Should have the new code out within >> the >> week. >> >> SSL_CTX_set_tmp_rsa_callback ÷ openssl/openssl ÷ >> Discussion #23769 (github.com) >> >> >> >> On 4/15/2024 6:25 AM, Gary Bowling wrote: >> >> >> >> >> >> Hey Jeff, glad you're making progress. Be aware that when >> you get a new cert from Letsencrypt that the default now >> retrieves an ECDSA cert. Which is fine for apache, but >> doesn't work on qmail, or at least it didn't for me. To >> fix >> that you'll need to configure letsencrypt to give you an >> RSA >> 2048 cert. >> >> >> >> >> >> There are two ways to do that. If you want all your certs >> to >> be RSA 2048, you can add this to the >> /etc/letsencrypt/cli.ini file. >> >> key-type = rsa >> rsa-key-size = 2048 >> >> >> >> >> If you just want to do that for your keys you use in >> qmail, >> then you can put the above in the >> /etc/letsencrypt/renewal/domain.conf file. Where "domain" >> is >> the name of the cert you're renewing. Certbot creates the >> file so it should already be there. >> >> >> >> >> Gary >> >> >> >> >> On 4/14/2024 10:39 PM, Jeff Koch wrote: >> >> I may have resolved this. I >> did >> the Rocy9 >> distro install of apache and >> copied the >> mod_http2.so file over to our >> install of apache. Seems >> to work (no errors) >> but I won't know for sure until >> we setup Lets >> Encrypt SSL certbot tomorrow >> >> Jeff >> >> On 4/14/2024 3:11 PM, Jeff Koch wrote: >> >> >> Hi - we're setting up a new mailserver with Rocky 9 >> and >> the learning curve is slow as is usual with >> the first time with a new distro. >> >> Anyway because our various scripts look for apache at >> /usr/local/apache/ we've decided to compile >> our own binary with the latest apache and >> have run into trouble / errors related to >> 'nghttp2'. >> >> We did download, compile and install the latest >> nghttp2-1.61.0 from github. The configure and make >> went well and http1.1 works but apache >> generates the following error when we >> activateà mod_http2 >> >> à (Cannot load modules/mod_http2.so into server: >> /usr/local/apache2/modules/mod_http2.so: undefined >> symbol: >> nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation) >> >> If anyone on the list has compiled their own httpd >> 2.4.59 with Rocky 9 would you mind sharing the >> details ? >> >> Thanks, Jeff Koch >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> qmailtoaster-list-unsubscr...@qmailtoaster.com >> For additional commands, e-mail: >> qmailtoaster-list-h...@qmailtoaster.com >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> qmailtoaster-list-unsubscr...@qmailtoaster.com For >> additional commands, e-mail: >> qmailtoaster-list-h...@qmailtoaster.com >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> qmailtoaster-list-unsubscr...@qmailtoaster.com For >> additional commands, e-mail: >> qmailtoaster-list-h...@qmailtoaster.com >> >> --------------------------------------------------------------------- To >> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For >> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com >> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >> >> --------------------------------------------------------------------- To >> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For >> additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > -- William G. Silverstein, Esq. Litigation Counsel Licensed in California. --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com