Dovecot and Letsencrypt certs

Bill Shirley bill at KnoxvilleChristian.org
Sat Sep 9 22:16:36 EEST 2017 

If you're using acme.sh:
acme.sh --installcert -d imap.example.com \
   --keypath /etc/pki/dovecot/private/imap.example.com.pem \
   --certpath /etc/pki/dovecot/certs/imap.example.com.crt \
   --fullchainpath /etc/pki/dovecot/certs/imap.example.com.full.chain.crt \
   --reloadcmd            "systemctl reload dovecot.service"

HTH,
Bill

On 9/8/2017 9:56 AM, Darac Marjal wrote:
> On Fri, Sep 08, 2017 at 06:47:25AM -0600, @lbutlr wrote:
>> So this morning at 4am I was awoken to my mail clients getting certificate errors for an expired certificate.
>>
>> I hopped on to the server and checked and… no, the LE certs renewed last month and are valid until November.
>>
>> After some moments of confusion I noticed that dovecot had been running since before the renewal, so I did a quick service 
>> dovecot restart which fixed everything.
>>
>> Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the 
>> newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files?
>
> As you're using dehydrated, I can share what I do. My hook script basically calls "run-parts /etc/dehydrated/hooks.d/" so I 
> can just drop hook scripts into that directory. Then in the hooks.d directory, I have the following:
>
>     #!/bin/bash
>
>     set -e
>     set -u
>     set -o pipefail
>
>     if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then
>             echo " + Hook: Restarting Dovecot..."
>             /usr/sbin/service dovecot restart
>     fi
>
> That means that dovecot will be restarted only if the certificate for the mail server is being deployed. If dehydrated runs, 
> but fails to renew the certificate, then dovecot won't be restarted. Similarly, if it renews a different certificate, dovecot 
> won't be restarted.
>
> Hope that helps.
>
>
>>
>> Should I just create a monthly cron to restart dovecot or is there something else?
>>
>> -- 
>> Apple broke AppleScripting signatures in Mail.app, so no random signatures.
>

More information about the dovecot mailing list