Let's Encypt SSL Certificates with Exim, Dovecot & NGINX

I ran into two issues when setting up Let’s Encrypt SSL certificates on two of my servers - permission issues for Exim and the certbot cron job supplied by the package doesn’t handle the renew very well for nginx, exim or dovecot.

Resolving Exim’s Permission Problems

1. Create a new group. I named it sslcerts. Add the exim user to that group. If you’re not using Debian, adjust the user in the command below.

sudo groupadd sslcerts
sudo usermod -aG sslcerts Debian-exim

2. Change permissions and ownership of some of the files so the exim user can access them.

sudo chmod g+rx /etc/letsencrypt/archive/
sudo chown -R root:sslcerts /etc/letsencrypt/archive/
sudo chown -R root:sslcerts /etc/letsencrypt/live/

Modifying certbot’s cron

The cron job in /etc/cron.d/certbot doesn’t deal with starting/stopping nginx, crucial to any attempt to renew, nor does it take into account that you might be using a certificate for Exim and/or Dovecot Modifying it is necessary. Change it to:

0 */12 * * * root test -x /usr/bin/certbot -a \\! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && /bin/systemctl stop nginx.service && certbot -q renew && /bin/systemctl start nginx.service && /bin/systemctl reload exim4.service && /usr/bin/doveadm reload

I’m not real happy with the cron job as is so I’ll write a script when I have a few moments to check for error conditions, etc.