On 13/09/2017 05:31, Joseph Tam wrote:

On Tue, 12 Sep 2017, dovecot-request wrote:

...

What's wrong with using a certbot "post-hook" script such as:

#!/bin/bash echo "Letsencrypt renewal hook running..." echo "RENEWED_DOMAINS=$RENEWED_DOMAINS" echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"

if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then ??? /usr/local/sbin/dovecot reload ?? /usr/sbin/postfix reload fi

Nothing, if you let your certbot run as root.  (I'm assuming that's how these hooks work -- it's called after cert renewal using the same credentials as the certbot.)

If you use privilege separation, and run the certbot as a regular user process, this won't work.  You might have this scenario if, for example using the context of web serving, you serve many virtual sites with different owners, and you don't want give each owner administrative access.

There are options when running certbot as non-privileged user, such as sudo, inotifywait -s -e modify /path/to/bundle.pem && doveadm reload and so on.

-- Adi Pircalabu