Thousands of SSL certificates stalls new logins during reload - problem with Dovecot config process
Bartosz Kwitniewski
zerg-dovecot at uid0.pl
Sat Sep 3 22:58:12 UTC 2022
On 02/09/2022 22:45, John Stoffel wrote:>>>>>> "Bartosz" == Bartosz
Kwitniewski <zerg-dovecot at uid0.pl> writes:
>
>> Out of other services on that machine that are able to handle such
>> number of certificates during reloads:
>> - proftpd loads configs dynamically based on SNI domain
>> - exim loads certificates dynamically based on SNI domain
>> - LiteSpeed switches to a new process after loading whole configuration
>
> Are you running all these services on one machine? Maybe you could
> get an SSL termination device which terminates the SSL connections and
> then forwards them into the proper backend application? This way only
> one system needs to be managed for certs, and only one (or two since I
> assume you have an HA pair :-) needs to then reload when new certs are
> inserted.
>
> If you could hack the proftpd cert code into dovecot, that might also
> be a way around it. I haven't a clue how this works since I haven't
> looked at either code base. It won't be simple, but I'm sure others
> would apprecaite it.
>
> If it's critical, paying for the feature to be added is another
> option.
>
>
For now they are on the same machine, we have to write our own panel for
clients to get more freedom in backend choices. I was looking into
HAProxy for SSL termination, but it does not support STARTTLS.
I'll try to look for workaround next week, but haven't used C for ages.
Best regards,
--
Bartosz Kwitniewski
More information about the dovecot
mailing list