2025-10-16 12:41:00
In my last post I made a somewhat sloppy solution to do monthly rotation of my Lets Encrypt certificates for Mailcow. Turns out that acme.sh has a neat built-in solution for rotation!
If you make a weekly or monthly systemd timer, with the following service definition, it'll all work out nicely!
Contents of /usr/lib/systemd/system/mailcow-certificate.timer:
[Unit]
Description=Monthly Mailcow certificate renewal
[Timer]
OnCalendar=weekly
RandomizedDelaySec=60m
Persistent=true
[Install]
WantedBy=timers.target
Contents of /usr/lib/systemd/system/mailcow-certificate.service:
[Unit]
Description=Monthly Mailcow certificate renewal
After=network.target network-online.target systemd-networkd.service
[Service]
Type=oneshot
ExecStart=/bin/bash -c '/opt/acme.sh/acme.sh --cron --home "/root/.acme.sh"'
ExecStartPost=/bin/bash -c 'docker compose --file /opt/mailcow/docker-compose.yml restart'
KillMode=process
TimeoutStopSec=900
After that?
sudo systemctl enable mailcow-certificate.timer
sudo systemctl enable mailcow-certificate.service
sudo systemctl start mailcow-certificate.timer
kilala.nl tags: work, sysadmin,
View or add comments (curr. 0)
2025-10-07 19:48:00
A few weeks ago I set up a locally hosted Mailcow instance, with proper TLS certificates from Let's Encrypt. Good stuff.
At the time I'd put off automating certificate renewal, because I wasn't ready to deal with my DNS provider's API yet. Turns out that TransIP is dead simple to use with the official Acme.sh solution!
There's a ready-to-run implementation of Acme.sh for TransIP DNS. Here's the documentation for it.
All you need is to follow TransIP's documentation of opening up and securing the API for your account.
The script I'd showed before only needs a tiny adjustment to work:
#!/bin/bash
#
# Documentation:
# https://github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_transip
InstallDir="/opt/mailcow"
if [[ ($# -gt 0) && ($1 == "--force") ]]
then
Force="--force"
else
Force=""
fi
export TRANSIP_Username="myname"
export TRANSIP_Key_File="./api.pem"
acme.sh --set-default-ca --server https://acme-v02.api.letsencrypt.org/directory
acme.sh --issue --dns dns_transip --dnssleep 300 -d mail.${Domain} ${Force}
acme.sh --install-cert -d mail.broehaha.nl \
--cert-file ${InstallDir}/data/assets/ssl/nochain.pem \
--key-file ${InstallDir}/data/assets/ssl/key.pem \
--fullchain-file ${InstallDir}/data/assets/ssl/cert.pem
kilala.nl tags: work, sysadmin,
View or add comments (curr. 0)
2025-10-05 16:50:00
Last year I did my traditional comparison of incoming and outgoing exam objectives for the Linux+ exam. It's good for students to know the changes from XK0-005 to XK0-006.
The latest version, also known as v8, went live in June. I hadn't looked at the official objectives document yet, but now I can confirm: there are no real changes between the XK1-006 draft objectives and the official, final XK0-006 objectives. There's only a few small corrections, like objective 3.3 which stated that sshd is solid state hybrid drive, instead of the SSH daemon. :)
I'm still in the midst of teaching v7 to my current group of students. They will take their exams in early December, with the final deadline being January 15th 2026. In the mean time I'm creating the new slide decks for next year's group.
kilala.nl tags: work,
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.