What's wrong with using a certbot "post-hook" script such as:
#!/bin/bash
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then
/usr/local/sbin/dovecot reload
/usr/sbin/postfix reload
fi
Daniel
On 9/11/2017 1:57 PM, Joseph Tam wrote:
<mas...@remort.net> writes:
"writing a script to check the certs" - there is no need to write any
scripts. As one mentioned, it's done by a hook to certbot. Please read
the manuals for LE or certbot. The issue you have is quite common and
of course certbot designed to do it for you.
Won't work, of course, if you employ the least-privilege security
principle
and run the certbot as a non-privileged user. You'll need a script with
administrator privileges to detect cert renewals and restart the service.
I can't willy-nilly restart dovecot to pick up renewed certs without
webmail disruptions. (My webmail uses persistent IMAP sessions.)
All users get dumped and need to re-authenticate. If a user happens to
be drafting a message that took 2 hours to compose, I will surely hear
about it. I should probably install a IMAP proxy to isolate the effects
of restarts. Most mail readers cope with restarts just fine, though.
Joseph Tam <jtam.h...@gmail.com>
