On 23/07/2023 22:44, Viktor Dukhovni via Postfix-users wrote:
On 23 Jul 2023, at 4:21 pm, Charles Sprickman via Postfix-users
<postfix-users@postfix.org> wrote:
In the case of the dehydrated ACME client
(https://github.com/dehydrated-io/dehydrated) there's an option to run
a bunch of commands on successful update, including something like
"postfix reload" - one could also insert an email or other command to
note the update. I can't imagine other ACME clients don't offer a
similar function...
The "certbot" ACME client offers post-hooks, but they're not "reliable".
If the hook fails or doesn't run, it won't be retried. A robust
"post-hook" should have "at least once" semantics, its implementation
should be idempotent, ait and should be retried until it succeeds.
I have had those hooks doing 'postmap' for SNI map and then
I found myself in that situation as originally described
here - thus asking the list for I got quite confused,
thinking 'postfix' might be keeping those even closer to the
chest than what was obvious.
But between the two - having more direct/dynamic pointers to
the certs/keys VS more secure 'postifx'(as guys explained)
as it is with lookup/cached tables - I'm thinking... that
certbot's hooks is what I'll keep using, only need to invest
more there.
I also had selinux labels issues - as confessed - so not
100% sure what did not work in this case of mine, but must
keep both eyes on it next time.
thanks, L.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
