LetsEncrypt ACME certificate renewal

S

Sempiterna

Active Member
Feb 2, 2014
17
3
43
I've been testing PMG (7) for a bit, used the ACME certificate options in the administration GUI to generate a few certificates for SMTP domains. I also use DANE, which means I have to add a hash of this certificate to the DNS records.

Is PMG auto-renewing the letsencrypt certificates? If so, is there a way to disable that function? Because of DANE, I need to update the DNS with the new certificate hash, and this can not be done automatically (i use bind, not a 3rd party/cloud/domain provider). If I can renew manually, I can add the new hash along with the old one to prevent interruptions in receiving e-mail.
 
Sempiterna said:
Is PMG auto-renewing the letsencrypt certificates?
Click to expand...
yes - this is done by pmg-daily.service (which gets triggered daily by pmg-daily.timer)
The certificate is renewed if it expires in less than 30 days.

The options you have are:
* manually renew the certificate every 29 days (or less)
* disable pmg-daily.timer (the other things it does is: running maintenance on the statistics database (which should be done), check for updates to the software and update the spamassassin definitions)
* configure Let's Encrypt ACME by different means (certbot, manually setting up acme.sh), which do not automatically renew the certificates


I hope this helps!
 
Is it also an option to iptables drop all inbound traffic on tcp port 80 (to block the letsencrypt verification)? Or is this port (inbound) also used for something else? I can then add a certificate expiration check in my monitoring system and renew it a few days before expiration by temporarily unblocking port 80, do a manual renewal through the GUI, and block the port off again.

Having a configurable choice for autorenewal would be great though for a future release.
 
Sempiterna said:
s it also an option to iptables drop all inbound traffic on tcp port 80 (to block the letsencrypt verification)?
Click to expand...
Should work as well (as long as you're using the Standalone http-01 challenge) - this will result in your pmg-daily tasks being marked as failed though (which is probably more a cosmetic problem)

Sempiterna said:
Having a configurable choice for autorenewal would be great though for a future release.
Click to expand...
IMHO - one of the main points of ACME and Let's encrypt is that admins are pushed to automate the certificate renewal (resulting in fewer expired certificates) - so would not consider that a high priority.
But, since that's just my personal impression - feel free to open an enhancement request at https://bugzilla.proxmox.com - if enough users need this functionality we might implement it (or of course accept patches for that)

Thanks!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom