Certificate renewal / grommunio reload

stefan_o

Hello,
in my upcoming setup I will put grommunio into a Linux Container (lxc), installed from the ISO image in a VM, then converted the VM to a container (tested and that seems to work).
As port 443 is also used for other services I will use a reverse proxy, the other ports (SMTP, IMAP, admin interface etc.) will be directly forwarded. Certbot will run on the host and will also provide the certificate for grommunio (probably my mounting them into the container filesystem). Does grommunio automatically recognize that there is a new certificate or do I need to trigger a reload somehow? What would be the best option to do that?
Best regards
Stefan

crpb

stefan_o Does grommunio automatically recognize that there is a new certificate or do I need to trigger a reload somehow?

No, but you could create a systemd.path + .service

/etc/systemd/system/acme-certs.path

[Unit]
Wants=acme-certs.service
[Path]
#PathChanged=/etc/grommunio-common/ssl/server.key /etc/grommunio-common/ssl/server-bundle.pem
PathChanged=/etc/grommunio-common/ssl/
[Install]
WantedBy=default.target

/etc/systemd/system/acme-certs.service

[Unit]
Description=acme-certs
#ConditionPathExists=/etc/grommunio-common/ssl/server.key /etc/grommunio-common/ssl/server-bundle.pem
[Service]
Type=simple
ExecStart=systemctl --no-block restart nginx gromox-imap gromox-pop3 postfix
# could also work with this instead i think
#PartOf=nginx.service gromox-imap.service gromox-pop3.service postfix.service
[Install]
WantedBy=default.target

i actually use those shenanigans for concatenating certificates and running update-ca-certificated with that generated file but modified it so far that you should be able to make it work