Am I right to assume certificate renewal with the same filename requires a dovecot reload/restart

Guido Goluke, MajorLabel info at majorlabel.nl
Thu Mar 14 11:11:36 EET 2019


On Thu, Mar 14, 2019, at 11:33 AM, Yassine Chaouche via dovecot wrote:
>> On 3/14/19 9:32 AM, Yassine Chaouche via dovecot wrote:
>>> The general answere here is try and see, as you could totally test it
>>> on your own. The certificate is read at startup and put in memory for
>>> the rest of the execution time. Dovecot won't monitor the file for
>>> changes on disk, as this would waste CPU cycles and make dovecot only
>>> slower for no reason. The process (or person) that changes the file is
>>> responsible to restart dovecot to reload the new certificate in memory.
>>>
>>> Yassine.
>> I should mention that this is also true for Apache and postfix.
>>
>> Yassine.
> Certbot has a feature to run scripts when renewing / deploying certificates.
>
> https://certbot.eff.org/docs/using.html#renewing-certificates
>
> Certbot also looks for these scripts under
>
> /etc/letsencrypt/renewal-hooks/pre  post  deploy
>
> FWIW here is my script restart.sh located in /etc/letsencrypt/renewal-hooks/deploy
>
> -------------
> #!/bin/sh
>
> systemctl restart nginx postfix dovecot
>
> echo "Certbot renewal\n\n$RENEWED_LINEAGE\n\n$RENEWED_DOMAINS" | mail -s "Certbot renewal" foo at bar.com
> -------------
>
> -- K

Hi, trying to learn the mailing list conventions as Yassine pointed out 
to me it is customary to reply to the list.

I am guessing the certbot version I use reloads apache config on renewal 
since I've never had this problem on port 80. Thanks for the 
renewal-hooks, I had found out that's where they live but wasn't sure if 
the $RENEWED_DOMAINS were available but from you answer I guess they are.

As Patrick pointed out to me a reload is better since a config error 
won't stop the services. Thank you all for your kind answers. I've had a 
topic running on 
https://serverfault.com/questions/958093/dovecot-issued-expired-certificate/958104#958104 
which I am going to update with my findings based on your help so that 
other people might benefit.

Regards,

MajorLabel



More information about the dovecot mailing list