I’ve a private mailserver with a web interface behind a proxy at home. It’s that proxy that obtains certs from LetsEncrypt every few months.
I’m using the same certs for the mail gateways (smtpd, ical and so on) behind the scenes and it’s annoying to keep the certs in sync so my Evolution (mail client) would greet me once every few months with an obsolete cert warning.
No more! Why repeat these steps manually again and again if I can just utilize the power of systemctl --host
and scp
?
#!/bin/bash
scp /etc/letsencrypt/live/mail.example.com/* 192.0.2.152:/etc/letsencrypt/live/mail.example.com/
for i in {postfix,mail-gateway,mail-ical}; do systemctl --host 192.0.2.152 restart ${i}; done
This may run as a hook script for the certbot or simply via cron once a week 🤷
(Yes yes, we can argue all day why this box can log in to another via ssh
as root with just a key to this single virtual machine on my internal network. This is a homelab set-up and gaining access to the proxy would be a disaster already since this one terminates HTTPS already *and* has the cert keys.)
@beko not sure whay you need to do this. Generally one cert is for one or more hosts. so host mail is not the same as 152 i guess from your command. I also use some certificates for more than one hostname, but I rather stick with one server one certificate, because its also a dns problem. 192.0 is not a local ip adress, if this is what you try to do? for local certificalte you wont need letsenrcrypt either?
It’s the same domain from the outside. Some ports are forwarded, others not and go over the proxy. The proxy does some other certs as well so it’s more convenient this way (the certbot is very comfortable) so I need the certs on both.
The IP is not legit and from a range reserved for examples and documentation.