Exim with letsencrypt certbot on Ubuntu 20

Run these commands to install cert

snap install core
snap refresh core

snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
snap set certbot trust-plugin-with-root=ok

# make sure firewall port 80 is unblocked and no other software is running on port 80 already
certbot certonly --standalone

# verify certbot timer exists to renew certificate
systemctl list-timers

# run this to verify the renew command will work when the timer runs it:
certbot renew --dry-run

I mostly used this article to configure exim to use the letsencrypt certificate: https://www.geekrant.org/2017/04/16/install-exim4-starttls-using-a-free-letsencrypt-certificate/

I made a couple additions on my server to complete this.

Run these to create links so exim can find the current certificate:

ln -s /etc/letsencrypt/live/example.com/fullchain.pem /etc/exim4/exim.crt
ln -s /etc/letsencrypt/live/example.com/privkey.pem /etc/exim4/exim.key

Put a hook script here to fix the permissions after certbot renews a certificate:

vim /etc/letsencrypt/renewal-hooks/post/reset_letsencrypt_perms.sh

chmod -R g+rX /etc/letsencrypt/live/
chmod -R g+rX /etc/letsencrypt/archive/
chgrp -R privkey_users /etc/letsencrypt/archive/
chgrp -R privkey_users /etc/letsencrypt/live

Make it executable:

chmod +x /etc/letsencrypt/renewal-hooks/post/reset_letsencrypt_perms.sh

Leave a Reply