Re: Am I right to assume certificate renewal with the same filename requires a dovecot reload/restart

Kostya Vasilyev kman at fastmail.com
Thu Mar 14 11:04:00 EET 2019


On Thu, Mar 14, 2019, at 11:33 AM, Yassine Chaouche via dovecot wrote:
> On 3/14/19 9:32 AM, Yassine Chaouche via dovecot wrote:
> > The general answere here is try and see, as you could totally test it 
> > on your own. The certificate is read at startup and put in memory for 
> > the rest of the execution time. Dovecot won't monitor the file for 
> > changes on disk, as this would waste CPU cycles and make dovecot only 
> > slower for no reason. The process (or person) that changes the file is 
> > responsible to restart dovecot to reload the new certificate in memory.
> >
> > Yassine.
> 
> I should mention that this is also true for Apache and postfix.
> 
> Yassine.

Certbot has a feature to run scripts when renewing / deploying certificates.

https://certbot.eff.org/docs/using.html#renewing-certificates

Certbot also looks for these scripts under

/etc/letsencrypt/renewal-hooks/pre  post  deploy

FWIW here is my script restart.sh located in /etc/letsencrypt/renewal-hooks/deploy

-------------
#!/bin/sh

systemctl restart nginx postfix dovecot

echo "Certbot renewal\n\n$RENEWED_LINEAGE\n\n$RENEWED_DOMAINS" | mail -s "Certbot renewal" foo at bar.com
-------------

-- K


More information about the dovecot mailing list