Re: Dovecot and Letsencrypt certs
<master@remort.net> writes:
"writing a script to check the certs" - there is no need to write any scripts. As one mentioned, it's done by a hook to certbot. Please read the manuals for LE or certbot. The issue you have is quite common and of course certbot designed to do it for you.
Won't work, of course, if you employ the least-privilege security principle and run the certbot as a non-privileged user. You'll need a script with administrator privileges to detect cert renewals and restart the service.
I can't willy-nilly restart dovecot to pick up renewed certs without webmail disruptions. (My webmail uses persistent IMAP sessions.) All users get dumped and need to re-authenticate. If a user happens to be drafting a message that took 2 hours to compose, I will surely hear about it. I should probably install a IMAP proxy to isolate the effects of restarts. Most mail readers cope with restarts just fine, though.
Joseph Tam <jtam.home@gmail.com>
What's wrong with using a certbot "post-hook" script such as:
#!/bin/bash echo "Letsencrypt renewal hook running..." echo "RENEWED_DOMAINS=$RENEWED_DOMAINS" echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then /usr/local/sbin/dovecot reload /usr/sbin/postfix reload fi
Daniel
On 9/11/2017 1:57 PM, Joseph Tam wrote:
<master@remort.net> writes:
"writing a script to check the certs" - there is no need to write any scripts. As one mentioned, it's done by a hook to certbot. Please read the manuals for LE or certbot. The issue you have is quite common and of course certbot designed to do it for you.
Won't work, of course, if you employ the least-privilege security principle and run the certbot as a non-privileged user. You'll need a script with administrator privileges to detect cert renewals and restart the service.
I can't willy-nilly restart dovecot to pick up renewed certs without webmail disruptions. (My webmail uses persistent IMAP sessions.) All users get dumped and need to re-authenticate. If a user happens to be drafting a message that took 2 hours to compose, I will surely hear about it. I should probably install a IMAP proxy to isolate the effects of restarts. Most mail readers cope with restarts just fine, though.
Joseph Tam <jtam.home@gmail.com>
participants (2)
-
Daniel Miller
-
Joseph Tam