Additional RSA certificate from Let's Encrypt (Certbot)
There are some answers with solutions that require custom scripting. This solution relies entirely on the Certbot configuration. The following assumptions are made. If these differs in your setup, alter the instructions for your needs.
There is a ECC certificate configured for mail.example.com using that as the certificate name (--cert-name); renewal configured in /etc/letsencrypt/renewal/mail.example.com.conf etc.
The defaults for Certbot are configured via configuration file /etc/letsencrypt/cli.ini. This example uses ECC certificates with a stronger secp384r1 curve (default secp256r1) and increased RSA key size 4096 (default 2048) as well as a pre-configured authenticator.
# Because we are using logrotate for greater flexibility, disable the
# internal certbot logrotation.
max-log-backups = 0
Use ECC for the private key
(do not set this by default to allow overrides in renewal/*.conf)
#key-type = ecdsa
elliptic-curve = secp384r1
Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
Use webroot authenticator; common webroot for all sites
authenticator = webroot
webroot-path = /var/www/letsencrypt
The key is to not set key-type, as it will override the one set in /etc/letsencrypt/renewal/*.conf. Hence, the line is commented out.
With this, you can now get two separate certificates:
ECDSA (only if you did not already have one):
sudo certbot certonly \
--cert-name mail.example.com-ecdsa \
-d mail.example.com \
--key-type ecdsa
RSA:
sudo certbot certonly \
--cert-name mail.example.com-rsa \
-d mail.example.com \
--key-type rsa
If your renewal method is configured correctly you should get:
Requesting a certificate for mail.example.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mail.example.com-ecdsa/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mail.example.com-ecdsa/privkey.pem
&
Requesting a certificate for mail.example.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mail.example.com-rsa/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mail.example.com-rsa/privkey.pem
You will need these paths in the Postfix configuration.
Multiple certificates in Postfix
With Postfix TLS Support you can configure multiple certificates at the same time. Since Postfix 3.4 it has been recommended to use the smtpd_tls_chain_files parameter (instead of the legacy smtpd_tls_cert_file & smtpd_tls_key_file for RSA & smtpd_tls_eccert_file & smtpd_tls_eckey_file for ECDSA).
It is worth to note that:
You can also store the keys separately from their certificates, again provided each is listed before the corresponding certificate chain. Storing a key and its associated certificate chain in separate files is not recommended, because this is prone to race conditions during key rollover, as there is no way to update multiple files atomically.
However,
- Certbot stores the key and the chain in separate files.
- You can configure a
--deploy-hook with a script that runs systemctl reload postfix on a successful renewal.
Example configuration for the main.cf; pay attention to the correct order: each private key before each certificate chain:
smtpd_tls_chain_files =
/etc/letsencrypt/live/mail.example.com-ecdsa/privkey.pem,
/etc/letsencrypt/live/mail.example.com-ecdsa/fullchain.pem,
/etc/letsencrypt/live/mail.example.com-rsa/privkey.pem,
/etc/letsencrypt/live/mail.example.com-rsa/fullchain.pem
