Custom Certificate Management

Support
,
5

if someone needs to deploy custom certificates for mail,
this is my first draft of a solution:

# dovecot
scp $cert_pfad/fullchain.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/server.pem
scp $cert_pfad/privkey.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/dovecot-cert/_data/server.key

# postfix
cp $cert_pfad/privkey.pem /tmp/fullchain.pem
cat $cert_pfad/fullchain.pem >> /tmp/fullchain.pem
scp $cert_pfad/fullchain.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/postfix-cert/_data/server.pem
scp $cert_pfad/privkey.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/postfix-cert/_data/server.key
scp /tmp/fullchain.pem $nethserver_ip:/home/mail1/.local/share/containers/storage/volumes/postfix-cert/_data/fullchain.pem
rm /tmp/fullchain.pem

uncommented=$( ssh $nethserver_ip 'cat /home/mail1/.config/systemd/user/dovecot.service | grep "#ExecStartPre=-runagent install-certificate dovecot"' )
if [ -z "$uncommented" ]; then 
    ssh $nethserver_ip 'sed -i "/^ExecStartPre=-runagent install-certificate dovecot$/s/^/#/" /home/mail1/.config/systemd/user/dovecot.service'
    ssh $nethserver_ip 'runagent -m mail1 systemctl --user daemon-reload'
    echo "disabled install-certificate dovecot"
fi

uncommented=$( ssh $nethserver_ip 'cat /home/mail1/.config/systemd/user/postfix.service | grep "#ExecStartPre=-runagent install-certificate postfix"' )
if [ -z "$uncommented" ]; then 
    ssh $nethserver_ip 'sed -i "/^ExecStartPre=-runagent install-certificate postfix$/s/^/#/" /home/mail1/.config/systemd/user/postfix.service'
    ssh $nethserver_ip 'runagent -m mail1 systemctl --user daemon-reload'
    echo "disabled install-certificate postfix"
fi

ssh $nethserver_ip 'runagent -m mail1 systemctl restart --user dovecot.service'
ssh $nethserver_ip 'runagent -m mail1 systemctl restart --user postfix.service'
  • $cert_pfad is the path where my certificates are stored
  • in /tmp/fullchain.pem a file for postfix - with the key and the full certificate chain is being created
  • in both if “uncommented” statements I disable install-certificate for dovecot and postfix, which would overwrite the manual copied files
  • This script runs on my Nginx Proxy Manager machine and delivers the current certificate to the nethserver machine
1 Like