IRedMail Server Certification Renewal Problem
I run an iRedmail server with iRedAdmin pro. we use LetsEncrypt certificates.
There is a standard cronjob to renew the certificates. Unfortunately this failed and I ended up with an expired LetsEncrypt certificate.
I then ran into a problem where I couldn’t automatically renew as the certs were expired. https connection to [webroot]/.wellknown/letsencrypt failed to allow certification owing to the out of date cert. forcing to connect on http (port 80 ) failed as it is redirected to https (port 443).
Fixing Expired Certification Stopping LetsEncrypt
This left two choices,
- Stop the redirect
- Turn off nginx.
I chose option 2. I got around the certification issue by:
sudo systemctl stop nginx
sudo certbot renew --standalone
sudo systemctl start nginx
sudo service postfix restart
sudo service nginx restart
sudo service dovecot restart
Then it was time to deal with the crontab issue.
My default iRed crontab is shown below.
# CERTBOT daily renewal job
1 3 * * * certbot renew --post-hook 'service postfix restart; service nginx restart; service dovecot restart'
It fails as it needs an explicit line to the certbot location to make it work ( /usr/bin/certbot or /snap/bin/certbot )
# CERTBOT daily renewal job
1 3 * * * /usr/bin/certbot renew --post-hook 'service postfix restart; service nginx restart; service dovecot restart'
If you are not sure where your certbot is installed then use where is to find out.
root:/root# whereis certbot
certbot: /usr/bin/certbot /snap/bin/certbot
This wont fix the –post-hook not working but at least I’ll have a renewed certificate and can manually restart the services. Alternatively I can find thepost hook problem or run a bash script to restart services … but that’s for another day.
Testing The Renewed Certificates
After updating it is good to test https, pops, smtps, imaps etc. here is my process and tools:
- SMTP Test: Check TLS will test your SMTP connection. All you need to do is put in a mail domain (your server name or a domain your mail server hosts ) https://www.checktls.com/ No credentials are required for this test.
- Webserver Test: Check your web server is properly configured with the new certificate – https://www.ssllabs.com/ssltest/ Again no credentials are required
- POPS and IMAPS Test: WARNING!!! The only way to test secure pop and imap is to provide login credentials for a mail box. If you trust the following site – feel free to put in your credentials. However, I do not know these people. Putting in your own credentials means they could steal your mail if they turn out to be malicious. I RECOMMEND MAKING A TEMP MAIL USER and testing using those credentials. Once the test is finished, destroy the temporary user. The test location is found here: https://www.dotcom-tools.com/email-server-test.aspx Use it at your own risk.
Should all your tests pass then feel free to sit back, gloat about a job well done and know that in 3 months time the win-acme program will either auto renew or let you run a simple command line to renew your certs.