Week 30, 2024

Posted on
by

I’ve a private mailserver with a web interface behind a proxy at home. It’s that proxy that obtains certs from LetsEncrypt every few months.

I’m using the same certs for the mail gateways (smtpd, ical and so on) behind the scenes and it’s annoying to keep the certs in sync so my Evolution (mail client) would greet me once every few months with an obsolete cert warning.

No more! Why repeat these steps manually again and again if I can just utilize the power of systemctl --host and scp?

#!/bin/bash
scp /etc/letsencrypt/live/mail.example.com/* 192.0.2.152:/etc/letsencrypt/live/mail.example.com/
for i in {postfix,mail-gateway,mail-ical}; do systemctl --host 192.0.2.152 restart ${i}; done

This may run as a hook script for the certbot or simply via cron once a week 🤷

(Yes yes, we can argue all day why this box can log in to another via ssh as root with just a key to this single virtual machine on my internal network. This is a homelab set-up and gaining access to the proxy would be a disaster already since this one terminates HTTPS already *and* has the cert keys.)