Am I right to assume certificate renewal with the same filename requires a dovecot reload/restart

Patrick Cernko pcernko at mpi-klsb.mpg.de
Thu Mar 14 13:13:56 EET 2019


Hi Yassine, hi Kostya,

On 14.03.19 10:17, Kostya Vasilyev via dovecot wrote:
> On Thu, Mar 14, 2019, at 12:09 PM, Yassine Chaouche via dovecot wrote:
>> On 3/14/19 9:55 AM, Patrick Cernko via dovecot wrote:
>>
>>> [...] the way we have configured exim, it neither needs reload or
>>> restart but reads the certificate file every time it has to use it.
>>
>> What happens if you goof off in the middle of an opeartion, temporarily
>> putting a wrong file instead of the new certificate, and exim starts
>> delivering the new broken certificate right away ? or breaks ? or
>> clients can't connect anymore with TLS ? or don't connect at all if you
>> don't allow non-TLS connexions ?
>>

First: It happens the same if I replace the file with a wrong cert AND 
reload another service deamon and then get interupted.
Second: I use ansible to push configurations and usually first push 
changes to a test system or only one machine.
Third: Server administration always has the risk of human error

;-)

> 
> Getting caught in the middle of a cert file or key file update should not happen  -- a process that already opened a file will continue to be reading from that file, even if it gets renamed.
> 
> But what if exim (or some other process) happens to read the "old" certificate file - and then the "new" private key file (or vice versa)?
> 
> A race condition like this seems unlikely but technically possible.
> 

We store cert and key together in one PEM file, thus we will always 
exchange both cert and key in one "atomic" operation.

Best,
-- 
Patrick Cernko <pcernko at mpi-klsb.mpg.de> +49 681 9325 5815
Joint Administration: Information Services and Technology
Max-Planck-Institute fuer Informatik & Softwaresysteme

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5324 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190314/eeff8dab/attachment.p7s>


More information about the dovecot mailing list