Jun 15, 2022
3 min read
Oct 10, 2023 07:03 EEST


pkg install

Configuration is in:


Certificates are stored in


As the certificates are only accessible by user acme, we need to do an additional step to make the certificates available to dovecot/postfix/haproxy.

We do not modify any daemon but we let write into a common/shared directory each website is using, so doing anything with does not have any impact on any service from your server

As next we configure log rotation:

cp /usr/local/share/examples/ /usr/local/etc/newsyslog.conf.d/

Make sure you uncomment the line in /usr/local/etc/newsyslog.conf.d/

/var/log/  acme:acme       640  90    *    @T00   BC

Next is to configure cron to automatically renew your certificates. For this we edit /etc/crontab

# Renew certificates created by
7       2       *       *       *       acme    /usr/local/sbin/ --cron --home /var/db/acme/ > /dev/null

We need to create the logfile:

touch /var/log/
chown acme /var/log/

Allow acme to write the challenge files:

mkdir -p /usr/local/www/letsencrypt/.well-known/
chgrp acme /usr/local/www/letsencrypt/.well-known/
chmod g+w /usr/local/www/letsencrypt/.well-known/

Setup configuration of

echo ACCOUNT_EMAIL=\"name@yourdomain.tld\" >> account.conf

Hook the own custom deploy scripts from: Make sure you create a config file and now symlink the hook:

cd /var/db/acme/
ln -s /usr/home/idefix/letsencrypt/

Now we can create our first test certificate (run this as root):

su -l acme -c "cd /var/db/acme && --issue --test -k ec-256 -w /usr/local/www/letsencrypt -d -d -d --deploy-hook create-haproxy-ssl-restart-all_acme"
su -l acme -c "cd /var/db/acme && --issue --test -k 2048 -w /usr/local/www/letsencrypt -d -d -d --deploy-hook create-haproxy-ssl-restart-all_acme"

If everything is fine, you can get the real certificates with:

su -l acme -c "cd /var/db/acme && --issue -k ec-256 -w /usr/local/www/letsencrypt -d -d -d --deploy-hook create-haproxy-ssl-restart-all_acme --server letsencrypt --force"
su -l acme -c "cd /var/db/acme && --issue -k 2048 -w /usr/local/www/letsencrypt -d -d -d --deploy-hook create-haproxy-ssl-restart-all_acme --server letsencrypt --force"

Now you should find an RSA and a ECDSA certificate in:


As we will renew certificates of many domains, but tools like dovecot/postfix/haproxy need a directory or a single file we need to prepare these files and copy them with correct permissions to destination folders.

Add a new subdomain

You have already a certificate for and would like now to add more hosts to it.

Go to folder:

cd /var/db/acme/certs/vmail2.fechner.net_ecc

And add a new line to or just attach a new subdomain seperated by comma:


Tell acme to renew the certificate (I have problem make a forced renewal for ec-256 cert, I had to recreate it):

I have problem make a forced renewal for ec-256 cert, I had to recreate it

su -l acme -c "cd /var/db/acme && --renew --force -k ec-256 -d"
su -l acme -c "cd /var/db/acme && --renew --force -k 2048 -d"

Related Posts