Mail Server - Funky Penguin's Geek Cookbook


#21

I thought the LetsEncrypt certificates would automatically renew. They didn’t and mail is not happy. Did I miss something?or did I mis-configure.

Greg

#22

Eeeew. I thought so too, but I’m in the same boat. I’ll check it out…


#23

OK, so preliminary research says we have to renew our certs by doing something like this:

cd /var/data/mailserver
docker run -ti --rm -v "$(pwd)"/letsencrypt:/etc/letsencrypt certbot/certbot renew

Sadly, this doesn’t work for my certs, which were registered --dns --manual - as it turns out, I have to regenerate them every 90 days :frowning:

Let me know how it goes?
D


#24

No luck here:

Processing /etc/letsencrypt/renewal/mail.gerg.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (mail.gerg.org) from /etc/letsencrypt/renewal/mail.gerg.org.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mail.gerg.org/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mail.gerg.org/fullchain.pem (failure)
-------------------------------------------------------------------------------

#25

I followed your recipe using the domain challenge, so I guess I also have to do the manual updates. Since I don’t have to worry about it again for 3 months, I’ll figure something out closer to that time. :slight_smile:


#26

Yeah, likewise, I just manually regenerated my certs. Some ideas here - we could add a “cron-type” container ala-NextCloud, which attempts the cert renewal daily (it should do nothing provided the cert is not due for expiry). I noticed that the DNS TXT entry for the verification didn’t change, so it may be possible to fully-automate the “manual” regeneration :slight_smile: