I don‘t think this works (at least not with standard Docker). Symlinks are resolved by the application (unlike hardlinks, which are dealt with by the file system) and thus cannot be resolved from inside a container.

Symlinks will not work. You can create a cronjob that overwrite /data/assets/ssl/cert.pem and /data/assets/ssl/key.pem once a week and restart mailcow.

Note: Set SKIP_LETS_ENCRYPT=y in mailcow.conf. Otherwise, your certificate will be overwritten by Mailcow.

@mritzmann, yes this was my first idea!
A cron with a bash script ...
..... 0 2 27 */2 * /root/lets-up.sh

!/bin/bash

#
certbot renew

systemctl restart apache2

cd /opt/docker/mailcow-dockerized
cp /etc/letsencrypt/archive/sub.mydomain.de/fullchain1.pem data/assets/ssl/cert.pem
cp /etc/letsencrypt/archive/sub.mydomain.de/privkey1.pem data/assets/ssl/key.pem
docker-compose down && docker-compose up -d

I can't copy the symlink from lets encrypt, it's must to be real *.pem

From cp(1):

   -L, --dereference
          always follow symbolic links in SOURCE

You could also use a post hook in the letsencrypt/certbot client and then have that hook move/copy the file to the correct location

@RobinFlikkema any chance you would have an example?

Hi,

I don't have it implemented anymore, but the letsencrypt package allows post-hooks and deploy-hooks:

--deploy-hook DEPLOY_HOOK
Command to be run in a shell once for each
successfully issued certificate. For this command, the
shell variable $RENEWED_LINEAGE will point to the
config live subdirectory (for example,
"/etc/letsencrypt/live/example.com") containing the
new certificates and keys; the shell variable
$RENEWED_DOMAINS will contain a space-delimited list
of renewed certificate domains (for example,
"example.com www.example.com" (default: None)

--post-hook POST_HOOK
Command to be run in a shell after attempting to
obtain/renew certificates. Can be used to deploy
renewed certificates, or to restart any servers that
were stopped by --pre-hook. This is only run if an
attempt was made to obtain/renew a certificate. If
multiple renewed certificates have identical post-
hooks, only one will be run. (default: None)

You can use these hooks to fire off scripts and/or commands to copy and move the certificate. Something like --deploy-hook "cp /etc/letsencrypt/live/mail.domain.me/fullchain.pem mailcow-folder/data/assets/ssl/cert.pem && cp /etc/letsencrypt/live/mail.domain.me/key.pem mailcow-folder/data/assets/ssl/key.pem", you could also substitute /etc/letsencrypt/live/mail.domain.me for RENEWED_LINEAGE to make the script more dynamic and work for other domains.

If I've time this week I'll try to get this to work again and share the command options.

EDIT:
I've tried it out and used this command to change my existing certificate: letsencrypt certonly --webroot -w /root/mailcow-dockerized/data/web --expand --post-hook "cp /etc/letsencrypt/live/mail.domain.nl/fullchain.pem /root/mailcow-dockerized/data/assets/ssl/cert.pem && cp /etc/letsencrypt/live/mail.domain.nl/privkey.pem /root/mailcow-dockerized/data/assets/ssl/key.pem && docker restart mailcowdockerized_postfix-mailcow_1" -d mail.domain.nl -d www.mail.domain.nl -d autodiscover.domain.nl -d autoconfig.domain.nl

Furthermore, I'm running a nginx reverse proxy which proxies all things like www.mail.domain.nl, mail.domain.nl, autoconfig and autodiscover to mailcow's nginx container.
The nginx reverse proxy points to the certificate in /etc/letsencrypt/live/mail.domain.nl:

server {
# SSL configuration for MAIL
#
listen 51.xxx.xxx.xxx:443 ssl http2;
listen [::]:443 ssl http2;

include snippets/ssl-params.conf;
ssl_certificate /etc/letsencrypt/live/mail.domain.nl/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.domain.nl/privkey.pem;
root /var/www/html/;

server_name mail.domain.nl www.mail.domain.nl autodiscover.domain.nl autoconfig.robinflikkema.nl xxx.xxx.domain.nl;
access_log /var/log/nginx/mail/access.log;
error_log /var/log/nginx/mail/error.log;

location / {
    proxy_pass http://127.0.0.1:8001/;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    client_max_body_size 100m;
}
}

I've bound mailcow to localhost:8001:

# ------------------------------
# HTTP/S Bindings
# ------------------------------

# You should use HTTPS, but in case of SSL offloaded reverse proxies:
HTTP_PORT=8001
HTTP_BIND=127.0.0.1

HTTPS_PORT=8002
HTTPS_BIND=127.0.0.1

Robin

Thanks for the example. Don't you think we need a cp -L ?

But it works with cp -L ...

If you want to create a link, you can use cp -L instead of cp