Dovecot and Letsencrypt certs
Adi Pircalabu
adi at ddns.com.au
Wed Sep 13 02:20:01 EEST 2017
On 13/09/2017 05:31, Joseph Tam wrote:
> On Tue, 12 Sep 2017, dovecot-request wrote:
>
>> What's wrong with using a certbot "post-hook" script such as:
>>
>> #!/bin/bash
>> echo "Letsencrypt renewal hook running..."
>> echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
>> echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
>>
>> if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then
>> ??? /usr/local/sbin/dovecot reload
>> ?? /usr/sbin/postfix reload
>> fi
>
> Nothing, if you let your certbot run as root. (I'm assuming that's
> how these hooks work -- it's called after cert renewal using the same
> credentials as the certbot.)
>
> If you use privilege separation, and run the certbot as a regular user
> process, this won't work. You might have this scenario if, for example
> using the context of web serving, you serve many virtual sites with
> different owners, and you don't want give each owner administrative
> access.
There are options when running certbot as non-privileged user, such as
sudo, inotifywait -s -e modify /path/to/bundle.pem && doveadm reload and
so on.
--
Adi Pircalabu
More information about the dovecot
mailing list