certbot renewal with reload/restart of service
Anyone know what the best way of setting up auto reload of certs for services like mail (dovecot/postfix), apache etc..?
I tried to add renewal stuff in conf file for certs in /etc/letsencrypt/renewal/hostname.conf
renew_hook = systemctl reload apache2
using the dry run test this line failed.
Dry run: skipping deploy hook command: systemctl reload apache2 (is this normal, since dryrun?)
in the case of postfix, dovecot, I used --standalone to gen cert and the dry run is trying to use port 80 and it's connecting to apache. I have to stop apache so that the standalone runs. I tried adding config to 'pre', '/etc/letsencrypt/renewal-hooks/pre/' but this runs for all of the certs.
Is there a way to add to individual confs in renewal? For postfix, I need to shutdown apache2 and renew cert, then restart apache after and then reload the new certs.
2 Replies
renew_hook = systemctl reload apache2
Use a shell script for this:
renew_hook = /the/path/to/my_renewal_hook
and then create the script /the/path/to/my_renewal hook containing:
#!/usr/bin/env -S bash
#
systemctl reload apache2
systemctl reload postfix
systemctl reload dovecot
exit 0
Of course, I've left out error checking for the exit code of systemctl for simplicity. You would be well-advised to NOT do that. You can make the shell script as complex as you like (but it needs to run pretty quickly in order to avoid the dreaded beast systemd from thinking the renewal process has stalled).
-- sw
