On Tue, 12 Sep 2017, dovecot-request@dovecot.org wrote:
What's wrong with using a certbot "post-hook" script such as:
#!/bin/bash echo "Letsencrypt renewal hook running..." echo "RENEWED_DOMAINS=$RENEWED_DOMAINS" echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then ??? /usr/local/sbin/dovecot reload ?? /usr/sbin/postfix reload fi
Nothing, if you let your certbot run as root. (I'm assuming that's how these hooks work -- it's called after cert renewal using the same credentials as the certbot.)
If you use privilege separation, and run the certbot as a regular user process, this won't work. You might have this scenario if, for example using the context of web serving, you serve many virtual sites with different owners, and you don't want give each owner administrative access.
Joseph Tam jtam.home@gmail.com