You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As of today, Certbot creates the following four files per certificate
cert.pem
chain.pem
fullchain.pem
privkey.pem
For certain application (e.g. Postfix) a single file which contains everything, i.e. private key, own certificate, chain, in that order would be beneficial. For example, Postfix picks up a new certificate (or private key for that matter) without reloading the daemon. However, it is necessary that the information is updated in an atomic manner. If the file private key and the certificates are stored in individual files, it might happen that Postfix reads a private key and certificate which do not match (of course depending on circumstances and timing).
Storing the private key in the same file as the corresponding certificate is more reliable. With the key and certificate in separate files, there is a chance that during key rollover a Postfix process might load a private key and certificate from separate files that don't match.
It would be nice, if certbot could also create a fifth file which provides everything.
The text was updated successfully, but these errors were encountered:
Those issues also have very simple workarounds using simple scripts in deploy hooks. (Not that different than your own line of code, but using a deploy hook is key here to automate things.)
But I'm going to close this issue as a duplicate now, as the last issue I mentioned above is still open.
As of today, Certbot creates the following four files per certificate
cert.pem
chain.pem
fullchain.pem
privkey.pem
For certain application (e.g. Postfix) a single file which contains everything, i.e. private key, own certificate, chain, in that order would be beneficial. For example, Postfix picks up a new certificate (or private key for that matter) without reloading the daemon. However, it is necessary that the information is updated in an atomic manner. If the file private key and the certificates are stored in individual files, it might happen that Postfix reads a private key and certificate which do not match (of course depending on circumstances and timing).
See Postfix Configuration Parameters –
smtpd_tls_chain_files
:It would be nice, if
certbot
could also create a fifth file which provides everything.The text was updated successfully, but these errors were encountered: