On 09/10/2020 11:16 Rogier Wolff r.e.wolff@bitwizard.nl wrote:
Hi,
I get my Email from my own SMTP server on the internet using "fetchmail". Some time ago I did the smart thing and configured dovecot to use SSL and the letsencrypt certificate that automatically renews.
Welllll..... a few days ago my certificate expired and the fetchmail deamon running in the background had nowhere to complain. So I didn't notice.
It turns out that dovecot had been running uninterrupted since august 13th, the certificate was renewed on september 7th and I suspect it expired on october 7th.
So.... Feature request: check the expiry date on the SSL certificate as it is being loaded and check for a new certificate if it HAS expired.
If you worry about performance, this could be done where:
TLS handshaking: SSL_accept() failed: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired: SSL alert number 45
is reported. That would mean that ONE client will once get the error before dovecot fixes it. My personal fix is to restart dovecot once a week from now on.
I might be running an older version:
# 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.21 (92477967) # OS: Linux 4.15.0-34-generic x86_64 Ubuntu 18.04.5 LTS
if it has already been fixed, please accept my apologies.
Roger.
That is indeed old version, but no, there is no automatic certificate reloading in Dovecot yet. This has been suggested before, and we have it in our internal issue tracker, but unfortunately I can't promise any date when it will be done.
Aki