On 2.09.2022 14:44, Bartosz Kwitniewski wrote:
Hello,
I'm running a dovecot 2.3.19.1 server that has around 6000 SSL
certificates in separate config files, each containing:
local_name "domain" {
ssl_cert = ...
ssl_key = ...
}
When new certificate is added, dovecot is reloaded
04.09.2022 01:01:16 Bartosz Kwitniewski :
> For now they are on the same machine, we have to write our own panel for
> clients to get more freedom in backend choices. I was looking into HAProxy
> for SSL termination, but it does not support STARTTLS.
>
> I'll try to look for workaround next
Hi,
Isn't the easiest way to solve this to reconfigure the SSL cert update
process to reload dovecot only once a day? It isn't that an update to an
SSL cert should be imminent: normally you can take your time and plan
carefully. This situation seems to me something like using the default
> "Bartosz" == Bartosz Kwitniewski writes:
> Out of other services on that machine that are able to handle such
> number of certificates during reloads:
> - proftpd loads configs dynamically based on SNI domain
> - exim loads certificates dynamically based on SNI domain
> - LiteSpeed
For hosting environments--where TLS certs can change hundreds of times in a
matter of minutes--it would be a boon for Dovecot to load those certificates
dynamically rather than all at once.
Pure-FTPd implements a nice solution to this: a standalone service that fetches
TLS certificates & keys.
