Certificate Renewal Configuration Deployment ¶
Overview ¶
The certificate renewal process uses certbot's webroot method. The web server only needs to serve static ACME challenge files from /var/www/html/postfix/ - no proxying or SSL configuration required.
Deployment Steps ¶
1. Remove Apache2 ¶
Apache2 is not needed since nginx can serve static files directly:
sudo systemctl stop apache2
sudo systemctl disable apache2
2. Deploy Consolidated Nginx Configuration ¶
sudo cp nginx-consolidated.conf /etc/nginx/sites-available/mail-certs
sudo ln -sf /etc/nginx/sites-available/mail-certs /etc/nginx/sites-enabled/
3. Remove Old Configurations ¶
sudo rm -f /etc/nginx/sites-enabled/nginx-imap.vhost
sudo rm -f /etc/nginx/sites-enabled/nginx-postfix.vhost
sudo rm -f /etc/apache2/sites-enabled/apache2-postfix.conf
4. Test and Reload Nginx ¶
sudo nginx -t
sudo systemctl reload nginx
5. Ensure Webroot Directory Exists ¶
sudo mkdir -p /var/www/html/postfix/.well-known/acme-challenge
sudo chown -R www-data:www-data /var/www/html/postfix
How It Works ¶
- renew-mail-certs.py checks certificate expiration (30 days threshold)
- For each domain requiring renewal, certbot places challenge files in
/var/www/html/postfix/.well-known/acme-challenge/ - Let's Encrypt validates by requesting
http://<domain>/.well-known/acme-challenge/<token> - Nginx serves the file from the webroot
- After validation, certbot generates certificates in
/etc/certs/ - Script creates symlinks and restarts postfix/dovecot
Domains Handled ¶
- imap.xaos.it
- smtp.xaos.it
- mx.xaos.it (alias)
- pop.xaos.it (alias)
Benefits of Consolidation ¶
- ✅ Single web server instead of nginx + apache2
- ✅ Simplified configuration (8 lines vs 30+ lines)
- ✅ Reduced memory footprint
- ✅ Easier maintenance and troubleshooting
- ✅ No unnecessary proxying overhead
Comments
Please login to leave a comment.
No comments yet. Be the first to comment!