Dovecot and Letsencrypt certs

Joseph Tam jtam.home at gmail.com
Tue Sep 12 22:31:16 EEST 2017


On Tue, 12 Sep 2017, dovecot-request at dovecot.org wrote:

> What's wrong with using a certbot "post-hook" script such as:
>
> #!/bin/bash
> echo "Letsencrypt renewal hook running..."
> echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
> echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
>
> if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then
> ??? /usr/local/sbin/dovecot reload
> ?? /usr/sbin/postfix reload
> fi

Nothing, if you let your certbot run as root.  (I'm assuming that's
how these hooks work -- it's called after cert renewal using the same
credentials as the certbot.)

If you use privilege separation, and run the certbot as a regular user
process, this won't work.  You might have this scenario if, for example
using the context of web serving, you serve many virtual sites with
different owners, and you don't want give each owner administrative
access.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list