ECC and certbot automated renewal

The problem is that the certbot program cannot renew a certificate for an ECC public key.

Instead of running certbot renew, we should roll our own. 

Take care to rename the Exim and Dovecot certificates in the appropriate place.

 

 

 

 

This works:

root@abispa ~/certbot-renewal $ cat renew-certbot.sh 
#!/bin/sh

LOGFILE=/root/certbot-renewal/certbot-renewal.log
ARCHIVE=/etc/letsencrypt/ecc-archive/abispa.waspa.org.za

## "Renew" the RSA certificate -- this actually generates a fresh
## 4096-bit RSA key pair and creates a certificate from the public key.
echo "RSA renewal ====================================" > $LOGFILE
certbot --force-renewal --rsa-key-size 4096 renew >> $LOGFILE 2>&1

## Use the Certificate-Signing Request for the existing ECC
## public key, and request a new certificate.
## You can read a CSR with:
## $ openssl req -noout -text -in /path/to/csr.pem
echo "ECC renewal ====================================" >> $LOGFILE
certbot certonly --non-interactive --apache \
	-d abispa.waspa.org.za \
	--email ops@ff.co.za \
	--csr /etc/letsencrypt/csr/ecc-csr.pem \
	--agree-tos >> $LOGFILE 2>&1

## The above creates three files in the local directory.
## Move them into place.
echo "Installing files ===============================" >> $LOGFILE
mv -fv 0000_cert.pem  $ARCHIVE/cert.pem >> $LOGFILE
mv -fv 0000_chain.pem $ARCHIVE/chain.pem >> $LOGFILE
mv -fv 0001_chain.pem $ARCHIVE/fullchain.pem >> $LOGFILE

## Fix Debian-exim group permissions.
## Remember to update dovecot & exim4 cert locations!
chmod 755 -R /etc/letsencrypt/{ecc-archive,ecc-live}; chgrp -R Debian-exim /etc/letsencrypt/{ecc-archive,ecc-live}
chmod 755 -R /etc/letsencrypt/{rsa-archive,rsa-live}; chgrp -R Debian-exim /etc/letsencrypt/{rsa-archive,rsa-live}

## Restart mail & web server so they use the new certs.
echo "Apache restart =================================" >> $LOGFILE
service apache2 stop >> $LOGFILE 2>&1
service apache2 start >> $LOGFILE 2>&1 
echo "Dovecot restart =================================" >> $LOGFILE
service dovecot stop >> $LOGFILE 2>&1
service dovecot start >> $LOGFILE 2>&1 
echo "Exim4 restart =================================" >> $LOGFILE
service apache2 stop >> $LOGFILE 2>&1
service apache2 start >> $LOGFILE 2>&1 

 

Category