Oh, also I removed the '2>1> /dev/null' from the acme.sh crontab entry so that it will always send an email; and entered this in sieve: # ------- let's encrypt ------- if header :contains "subject" "acme.sh" { if body :regex "Error[[:space:]]+renew" { # redirect :copy "bill@example.com"; addflag "$label1"; # Thunderbird red stop; } if body :regex "-----BEGIN CERTIFICATE-----" { # redirect :copy "bill@example.com"; addflag "$label4"; # Thunderbird blue stop; } fileinto "AASystemAdministration.Cron.certificate"; stop; } The redirect :copy I enable for my other servers to forward a copy to me.
HTH, BIll
On 9/9/2017 3:16 PM, Bill Shirley wrote:
If you're using acme.sh: acme.sh --installcert -d imap.example.com
--keypath /etc/pki/dovecot/private/imap.example.com.pem
--certpath /etc/pki/dovecot/certs/imap.example.com.crt
--fullchainpath /etc/pki/dovecot/certs/imap.example.com.full.chain.crt
--reloadcmd "systemctl reload dovecot.service"HTH, Bill
On 9/8/2017 9:56 AM, Darac Marjal wrote:
On Fri, Sep 08, 2017 at 06:47:25AM -0600, @lbutlr wrote:
So this morning at 4am I was awoken to my mail clients getting certificate errors for an expired certificate.
I hopped on to the server and checked and… no, the LE certs renewed last month and are valid until November.
After some moments of confusion I noticed that dovecot had been running since before the renewal, so I did a quick service dovecot restart which fixed everything.
Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files?
As you're using dehydrated, I can share what I do. My hook script basically calls "run-parts /etc/dehydrated/hooks.d/" so I can just drop hook scripts into that directory. Then in the hooks.d directory, I have the following:
#!/bin/bash
set -e set -u set -o pipefail
if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then echo " + Hook: Restarting Dovecot..." /usr/sbin/service dovecot restart fi
That means that dovecot will be restarted only if the certificate for the mail server is being deployed. If dehydrated runs, but fails to renew the certificate, then dovecot won't be restarted. Similarly, if it renews a different certificate, dovecot won't be restarted.
Hope that helps.
Should I just create a monthly cron to restart dovecot or is there something else?
-- Apple broke AppleScripting signatures in Mail.app, so no random signatures.