I'm setting up certbot/letsencrypt to provide a certificate for dovecot and sendmail. Is it necessary to restart dovecot to load the new certificate, as shown in most examples I find in blogs? That seems rude to established connections. When does dovecot read the cert and key files? Once at startup or each time a connection requests SSL? Is there a preferred locking protocol when changing the two files to keep dovecot from reading one while the other is being replaced and getting a mismatched pair?
On December 26, 2017 at 11:42 PM Kenneth Porter shiva@sewingwitch.com wrote:
I'm setting up certbot/letsencrypt to provide a certificate for dovecot and sendmail. Is it necessary to restart dovecot to load the new certificate, as shown in most examples I find in blogs? That seems rude to established connections. When does dovecot read the cert and key files? Once at startup or each time a connection requests SSL? Is there a preferred locking protocol when changing the two files to keep dovecot from reading one while the other is being replaced and getting a mismatched pair?
doveadm reload should be enough.
Aki
I'm using acme.sh to get my Let's Encrypt certificates. The install command is:
acme.sh --installcert -d imap.example.com
--keypath /etc/pki/dovecot/private/imap.example.com.pem
--certpath /etc/pki/dovecot/certs/imap.example.com.crt
--fullchainpath /etc/pki/dovecot/certs/imap.example.com.full.chain.crt
--reloadcmd "systemctl reload dovecot.service"
Notice the --reloadcmd.
Bill
On 12/26/2017 6:16 PM, Aki Tuomi wrote:
On December 26, 2017 at 11:42 PM Kenneth Porter shiva@sewingwitch.com wrote:
I'm setting up certbot/letsencrypt to provide a certificate for dovecot and sendmail. Is it necessary to restart dovecot to load the new certificate, as shown in most examples I find in blogs? That seems rude to established connections. When does dovecot read the cert and key files? Once at startup or each time a connection requests SSL? Is there a preferred locking protocol when changing the two files to keep dovecot from reading one while the other is being replaced and getting a mismatched pair? doveadm reload should be enough.
Aki
--On Wednesday, December 27, 2017 9:24 AM -0500 Bill Shirley bill@KnoxvilleChristian.org wrote:
--reloadcmd "systemctl reload dovecot.service" Notice the --reloadcmd.
Thanks. Some digging indicates that this is equivalent to doveadm reload. Both paths ultimately send a SIGHUP to the server which initiates a full reload of the configuration.
I'll be combining this with a restart of sendmail. Alas, I don't see a way to get it to reload its configuration.
participants (3)
-
Aki Tuomi
-
Bill Shirley
-
Kenneth Porter