"writing a script to check the certs" - there is no need to write any scripts. As one mentioned, it's done by a hook to certbot. Please read the manuals for LE or certbot. The issue you have is quite common and of course certbot designed to do it for you. The manual: https://certbot.eff.org/docs/using.html#renewing-certificates. Thats it. Problem solved.
2017-09-09 0:18 GMT+05:00 @lbutlr kremels@kreme.com:
On 08 Sep 2017, at 12:21, Ralph Seichter m16+dovecot@monksofcool.net wrote:
On 08.09.2017 19:51, @lbutlr wrote:
How I would do it is IF the certificate is expired, the dovecot should check if there is a new cert and if so, load it.
New cert as in file modification date or checksum changed?
Either one, but checksum is going to be more reliable.
Might work. Still, from what I seem to remember, Dovecot loads certificate data before dropping privileges, which is why reloading the data might be problematic without some changes.
Can't dovecot reload itself? That could be a problem if not.
Not worth spending development effort on, IMO, given that Dovecot can easily be restarted by the external processes that update the cert (like Certbot hook, Ansible, etc.).
All I'm saying is that it's a failure event that doesn't need to occur.
-- Apple broke AppleScripting signatures in Mail.app, so no random signatures.