Dovecot and Letsencrypt certs

[Darac Marjal]

On Fri, Sep 08, 2017 at 06:47:25AM -0600, @lbutlr wrote:
>So this morning at 4am I was awoken to my mail clients getting certificate errors for an expired certificate.
>
>I hopped on to the server and checked and… no, the LE certs renewed last month and are valid until November.
>
>After some moments of confusion I noticed that dovecot had been running since before the renewal, so I did a quick service dovecot restart which fixed everything.
>
>Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files?

As you're using dehydrated, I can share what I do. My hook script 
basically calls "run-parts /etc/dehydrated/hooks.d/" so I can just drop 
hook scripts into that directory. Then in the hooks.d directory, I have 
the following:

	#!/bin/bash

	set -e
	set -u
	set -o pipefail
	
	if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then
	        echo " + Hook: Restarting Dovecot..."
	        /usr/sbin/service dovecot restart
	fi

That means that dovecot will be restarted only if the certificate for the 
mail server is being deployed. If dehydrated runs, but fails to renew 
the certificate, then dovecot won't be restarted. Similarly, if it 
renews a different certificate, dovecot won't be restarted.

Hope that helps.


>
>Should I just create a monthly cron to restart dovecot or is there something else?
>
>-- 
>Apple broke AppleScripting signatures in Mail.app, so no random signatures.

-- 
For more information, please reread.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 906 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot/attachments/20170908/93971fc9/attachment.sig>