Differences

This shows you the differences between two versions of the page.

--- internet:mail:mailcleaner_ssl [2021/06/17 14:39]
gcooper
+++ internet:mail:mailcleaner_ssl [2022/10/03 10:54] (current)
gcooper
@@ Line 1: / Line 1: @@
 ====== MailCleaner LetsEncrypt Free SSL ======
+FIXME Unfinished automated renewals
 https://letsencrypt.org/
@@ Line 16: / Line 18: @@
 ===== Single Server =====
-Follow this howto:
+**Follow this howto**: https://opensource.com/article/20/6/secure-open-source-antispam
-https://opensource.com/article/20/6/secure-open-source-antispam
 ===== MailCleaner Cluster =====
@@ Line 40: / Line 40: @@
 chmod +x /usr/local/bin/set-certificate.pl
 </file>
+FIXME The ''deploylecert.sh'' script is **not used** here as only **manual renewal** is shown.
 The ''deploylecert.sh'' script **must be edited** and is called from ''cron'' during certificate renewals.  It just calls the generic ''set-certificate.pl'' script with your details.
@@ Line 77: / Line 79: @@
 </file>
-<note important>You will have to add a DNS TXT record for each domain specified, two in this case.  Wait for enough time for your DNS TXT records to propagate to all your DNS servers.  I'd wait a full minute or more before continuing.</note>
+<note important>You will have to add a DNS TXT record for each domain specified, two in this case.  Wait for enough time for your DNS TXT records to propagate to all your DNS servers.  I'd wait a full minute or more before continuing. YMMV</note>
 === List the Certificate ===
@@ Line 96: / Line 98: @@
 </file>
-==== Renew the Certificate ====
+==== Renew the Certificate Manually ====
 <note warning>We don't use the ''certbot'' renew function because it doesn't work with DNS-01 (manual).</note>
@@ Line 103: / Line 105: @@
 <note warning>Use **exactly the same domain names** as when the original cert was created or another cert will be created instead of renewing the existing one.</note>
+<note important>You will have to **add** (not replace) a DNS TXT record for each domain and SAN specified, two in this case.  Wait for enough time for your DNS TXT records to propagate to all your DNS servers.  I'd wait a full minute or more before continuing.</note>
 ^ --keep          |will not renew the cert until it has 30 days or less to expire (i.e. after 60 days) |
@@ Line 108: / Line 112: @@
 Check and renew cert if it has less than 30 days until expiry:
-FIXME
 <file>
@@ Line 121: / Line 123: @@
 </file>
-Once the cert is installed and tested on the master MailCleaner server, sync the SSL cert to the MailCleaner slaves.  Do this at the slave.  This command runs nightly anyway, so if your current cert has not expired, you can omit this step for now.
+===== Sync SSL Cert to MailCleaner Slaves =====
+Once the cert is installed and tested on the master MailCleaner server, sync the SSL cert to the MailCleaner slaves.  **Do this at the slave**.  This command runs nightly anyway, so if your current cert has not expired, you can omit this step for now.
 <file>
 /root/Updater4MC/updater4mc.sh
-</file>
-=== Cron ===
-Schedule a nightly renewal check every Sunday at 2:00am:
-<file>
-crontab -e
-</file>
-Append this line:
-<file>
-2 * * 7 /usr/local/bin/certbot-auto certonly --manual --keep --manual-public-ip-logging-ok --preferred-challenges=dns -d 'yourtopleveldomain.tld,*.yourtopleveldomain.tld' --deploy-hook /usr/local/bin/deploylecert.sh
 </file>
@@ Line 153: / Line 143: @@
 <file>
 openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:25 -starttls smtp < /dev/null
+</file>
+Show dates:
+<file>
+openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:25 -starttls smtp < /dev/null | openssl x509 -noout -dates
 </file>

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools