customize cert names

disgustipated

I’m using certbot on my proxy server to generate certificates. I currently have a shell script which rsyncs these to locations where i need them. the mailcow sni configuration indicates to use the cert files and should not be a symb link. This makes things a little complicated as the full chain and the key pem files need to be renamed from the generated cert from certbot. from what i can tell the postfix container is looking for cert.pem for the fullchain.pem from certbot and key.pem for the privkey.pem file from certbot. So in my script to update certs i’m having to rename the files when putting them in their destination. Is there an easier way to do this in mailcow to specify the filename of the cert so i dont have to have the script rename them?

mlcwuser

disgustipated

Afaik. with rsync you can just provide the correct name in the destination part:

Example:

rsync /path/to/original_name.txt /path/new/my_new_file_name.txt

On the other hand, if you already have a script in place that does everything automatically, why change it? The computer doesn’t really care how many commands the script contains, it won’t break a sweat over a few extra lines. 😉

esackbauer

Just rename them during copy process. I have automated this with ansible.

disgustipated

thank you, yeah i considered this but i was pushing them over to the other server in a specific folder with specific rights, and then that server was grabbing them with another script. i may just go that route.

disgustipated

disgustipated
This is what i ended up going with, hope it might be helpful for anyone else with a similar setup of a proxy that handles certs with certbot and then moving them to another server. I have this set up as a cron job running every day. some error handling could be added around the nginx -t line and send an email or notification if the -t fails, and probably commented out for regular use. if youre using some other nginx setup other than swag you’ll have to modify those lines to reload the nginx config.

#! /bin/bash
#--VARS FOR CERTS PUSH---------------------
#CERTS_LOG=/home/user/scripts/logs/certsUpdate.log # if youre not using cron to export the output to a log file you can uncomment this line and add "| tee -a $CERTS_LOG" to lines you want to see the output for. for rsync lines you can use the flag  --log-file=$CERTS_LOG
#SOURCE_DOMAINS - List of domains to handle certificates - this file should contain a list of domains each on its own line
SOURCE_DOMAINS='/path/to/file/withDomainsListedLinebyLine'
#CERTS_TO_MOVE - certs needed at destination - fullchain is renamed to cert and privkey is renamed to key 
#as this is whats needed for mailcow. if more than these two are needed for some reason changes are needed down in script below
CERTS_TO_MOVE='fullchain.pem privkey.pem'
#destination path
MAIL_SRVR='root@ipToMailcow'
MAIL_DEST='/opt/mailcow-dockerized/data/assets/ssl/mail.'
#this is a script on the remote server that has the containers to restart listed in mailcow documentation for advanced ssl
MAIL_SCRIPT='/home/user/scripts/mailcow_updateCerts.sh'
#local proxy web server
PROXY_DEST='/mnt/containers/swag/etc/letsencrypt/live/'
#where the certs live after certbot request
CERT_SRCPATH='/etc/letsencrypt/live/'
#ssh key to use
SSHKEY='/home/user/.ssh/id_cert'
#------------------------------------------

certbot renew
echo "start movin certs!"
echo "Beginning cert transfer"
while read activeDomain
do
  echo "push to local nginx" ${CERT_SRCPATH}${activeDomain}/ " to " ${PROXY_DEST}${activeDomain}/
  rsync -avzh --no-perms -L ${CERT_SRCPATH}${activeDomain}/ ${PROXY_DEST}${activeDomain}/
  echo "push to mail server"
  for CERT in $CERTS_TO_MOVE
  do
    if [[ ${CERT} == 'fullchain.pem' ]]; then
      echo "working on" ${CERT_SRCPATH}${activeDomain}/${CERT} " to " ${MAIL_SRVR}':'${MAIL_DEST}${activeDomain}/cert.pem
      rsync -avzh --no-perms -e 'ssh -i '"$SSHKEY"'' -L ${CERT_SRCPATH}${activeDomain}/${CERT} ${MAIL_SRVR}':'${MAIL_DEST}${activeDomain}/cert.pem
    else
      echo "working on" ${CERT_SRCPATH}${activeDomain}/${CERT} " to " ${MAIL_SRVR}':'${MAIL_DEST}${activeDomain}/key.pem
      rsync -avzh --no-perms -e 'ssh -i '"$SSHKEY"'' -L ${CERT_SRCPATH}${activeDomain}/${CERT} ${MAIL_SRVR}':'${MAIL_DEST}${activeDomain}/key.pem
    fi
  done
done < $SOURCE_DOMAINS
echo "Cert transfer complete"
echo "reloading nginx config"
docker exec swag nginx -t
docker exec swag nginx -s reload
echo "reloading mailcow " $SSHKEY $MAIL_SRVR 'bash -s < '${MAIL_SCRIPT}
ssh -i $SSHKEY $MAIL_SRVR 'bash -s < '${MAIL_SCRIPT}