Security Bloggers Network 
SBN

Let’s Encrypt for non-webservers

Avatar photo by Branden Williams on November 27, 2024

Let’s say you want to use Let’s Encrypt for something that isn’t a website. So you download certbot, you get things going with your manual cert, and you realize that when it goes to rotate you will need to restart some services. When you go look through the docs, it’s not very clear on how to do this exactly. So here’s my post to remind myself what I did (and if it helps you as well, then hooray!).

Doctor Tom Saves the Day, by Murray Barnes

What you want to do is configure a hook. They come in three varieties: pre-hooks (commands to run prior to running the re-issue), deploy-hooks (commands to run immediately after the cert is issued but prior to deployment), and post-hooks (commands to be run after deployment). You can find command line options pretty easily, but there is another trick if your system has all the automation built in (say, via the SNAP subsystem).

You will find some options in the /etc/letsencrypt/renewal-hooks directory if you have global commands you want to run. This is an easy way to script actions when your machine is single use. But if you have a web server on the same machine you are running email on, you might not want to run global commands when every certificate renews, just commands for unique to that one certificate.

The way to accomplish this is via the /etc/letsencrypt/renewal/your.cert.name.conf config file. At the bottom of the [renewalparams] section, you want to add the following lines:

# Add this to the /etc/letsencrypt/renewal/your.cert.here.conf
pre_hook = /bin/systemctl stop <ONE OR MORE SERVICES TO STOP, such as 'apache' to ensure you can do the renew>
post_hook = /bin/systemtl start <ONE OR MORE SERVICES TO START, such as 'apache'>; /bin/systemctl restart <ONE OR MORE SERVICES TO RESTART, such as 'dovecot postfix'>

So there you go. Now if you wanted to use letsencrypt certs for email or stunnel, it’s easily accomplished with these options.

Possibly Related Posts:

*** This is a Security Bloggers Network syndicated blog from Branden R. Williams, Business Security Specialist authored by Branden Williams. Read the original post at: https://www.brandenwilliams.com/blog/2024/11/27/lets-encrypt-for-non-webservers/?utm_source=rss&utm_medium=rss&utm_campaign=lets-encrypt-for-non-webservers

Branden Williams ,
Avatar photo

Branden Williams

Dr. Branden R. Williams has more than twenty-five years of experience in business, technology, and cybersecurity as a consultant, strategist, and executive. Dr. Williams has experience working for the largest and smallest institutions as an entrepreneur, practitioner, and advisor. His specialty is navigating complex landscapes—be it compliance, security, technology, or business—and finding innovative solutions that promote growth while reducing risk. He is a practitioner and advisor for the operation, engineering, and management of IT and IS tools. He’s held several executive roles in the industry and served on both the PCICo and EMVCo boards.

branden-williams has 24 posts and counting.See all posts by branden-williams