On Mon, 24 Jul 2023, Wietse Venema via Postfix-users wrote:
Bernardo Reino via Postfix-users:
On Sun, 23 Jul 2023, Viktor Dukhovni via Postfix-users wrote:
On 23 Jul 2023, at 4:21 pm, Charles Sprickman via Postfix-users
<postfix-users@postfix.org> wrote:
In the case of the dehydrated ACME client
(https://github.com/dehydrated-io/dehydrated) there's an option to run
a bunch of commands on successful update, including something like
"postfix reload" - one could also insert an email or other command to
note the update. I can't imagine other ACME clients don't offer a
similar function...
The "certbot" ACME client offers post-hooks, but they're not "reliable".
If the hook fails or doesn't run, it won't be retried. A robust
"post-hook" should have "at least once" semantics, its implementation
should be idempotent, ait and should be retried until it succeeds.
I cannot imagine why/when the cerbot client would fail to run the post-hooks (in
a sane environment).
Systems crash. What are the reliability guarantees from the certbot
client: will it run once, or will it somehow maintain state and
recover when a run was interrupted by a system crash?
In such cases, and/or just "on top" of the certbot renewal hooks, one could have
a cron job doing "postmap" and/or "postfix reload" or whatever, as Viktor wrote.
(but again, then your cron job must make sure that certbot is not (con)currently
running).
I honestly don't think that it's certbot's [*] job to do that. The hooks are
IMHO a "courtesy", which is nice to have, but if you need 100% reliability, you
need to implement it using another method.
--
Bernardo
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
