scripts/entry.sh: fix cert renewal

Certificate renewal was broken because renewed certificates were stored in the container's /etc/letsencrypt, which was subsequently removed and soft-linked from /host/etc/letsencrypt. This change fixes that by moving cert renewal after the /host/etc -> /etc handling. It also disables certbot's random sleep before renewal since that would impact the mailserver's startup time. Signed-off-by: Thilo Fromm <github@thilo-fromm.de>
t-lo · Jul 22, 2023 · d30b5b3 · d30b5b3
1 parent 9405e75
commit d30b5b3
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/scripts/entry.sh b/scripts/entry.sh
@@ -39,12 +39,13 @@ function check_letsencrypt() {
         certbot certonly --non-interactive --webroot --webroot-path /host/srv/www/html \
              --agree-tos --email "${ADMIN_EMAIL}" \
             -d "${HOSTNAME}"
-    else
-        echo "##### ENTRY: checking for certificate renewals"
-        certbot renew --non-interactive --webroot --webroot-path /host/srv/www/html
     fi
 
     init_srv_cfg letsencrypt
+
+    echo "##### ENTRY: checking for certificate renewals"
+    certbot renew --non-interactive --no-random-sleep-on-renew \
+        --webroot --webroot-path /host/srv/www/html
 }
 # --