On Sun, 9 Jan 2022 at 11:47, Demi Marie Obenour <demioben...@gmail.com> wrote:
> On 1/9/22 05:33, Rodolphe Bréard wrote: > > You have to restart it. > > > > In fact, I don't know any server that watches those files in order to > > reload them. As far as I know, most servers starts as root, loads the > > private key and the certificate into memory, then switch to an > > unprivileged user which cannot read those files. Such a workflow doesn't > > allow the feature you are asking for unless your certificate and key > > file are wildly accessible, which is so obviously insecure that some > > servers (OpenSMTPD is one of them) will refuse to start. > > OpenSMTPD could actually implement this feature, since the parent process > runs as root and can access the secret key. It could then send the key > to the correct child process via an imsg. An alternative would be for > smtpctl to support sending the secret key and certificate via the control > socket. > -- > Sincerely, > Demi Marie Obenour (she/her/hers) In most setups, the private key doesn't change when a certificate is renewed. You only get a new certificate for the same private key. And since the certificate is not sensitive, there is normally no problem with that being world readable. So while reloading the private key has some security issues to consider, reloading the certificate is quite easy and is sufficient for most if not all real world renewals. Kind regards, Maarten de Vries
