I ran into two issues when setting up Let’s Encrypt SSL certificates on two of my servers - permission issues for Exim and the certbot cron job supplied by the package doesn’t handle the renew very well for nginx, exim or dovecot.
Resolving Exim’s Permission Problems
1. Create a new group. I named it sslcerts. Add the exim user to that group. If you’re not using Debian, adjust the user in the command below.
sudo groupadd sslcerts sudo usermod -aG sslcerts Debian-exim
2. Change permissions and ownership of some of the files so the exim user can access them.
sudo chmod g+rx /etc/letsencrypt/archive/ sudo chown -R root:sslcerts /etc/letsencrypt/archive/ sudo chown -R root:sslcerts /etc/letsencrypt/live/
Modifying certbot’s cron
The cron job in
/etc/cron.d/certbot doesn’t deal with starting/stopping nginx, crucial to any attempt to renew, nor does it take into account that you might be using a certificate for Exim and/or Dovecot Modifying it is necessary. Change it to:
0 */12 * * * root test -x /usr/bin/certbot -a \\! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && /bin/systemctl stop nginx.service && certbot -q renew && /bin/systemctl start nginx.service && /bin/systemctl reload exim4.service && /usr/bin/doveadm reload
I’m not real happy with the cron job as is so I’ll write a script when I have a few moments to check for error conditions, etc.