Re: restart necessary on certificate upgrade (letsencrypt)?
Sent via the Samsung Galaxy A10e, an AT 4G LTE smartphone Original message From: Demi Marie Obenour Date: 1/9/22 4:47 AM (GMT-06:00) To: misc@opensmtpd.org Subject: Re: restart necessary on certificate upgrade (letsencrypt)? On 1/9/22 05:33, Rodolphe Bréard wrote:> You have to restart it.> > In fact, I don't know any server that watches those files in order to > reload them. As far as I know, most servers starts as root, loads the > private key and the certificate into memory, then switch to an > unprivileged user which cannot read those files. Such a workflow doesn't > allow the feature you are asking for unless your certificate and key > file are wildly accessible, which is so obviously insecure that some > servers (OpenSMTPD is one of them) will refuse to start.OpenSMTPD could actually implement this feature, since the parent processruns as root and can access the secret key. It could then send the keyto the correct child process via an imsg. An alternative would be forsmtpctl to support sending the secret key and certificate via the controlsocket.-- Sincerely,Demi Marie Obenour (she/her/hers)It wouldn't be a trivial addition. I don't believe libevent has file watchers so you'd have to hack your own or bring in more dependencies. Probably easier to just have cron do your cert renewal and restart if necessary. Edgar
Re: restart necessary on certificate upgrade (letsencrypt)?
Hi, I wonder if opensmtpd starts using new key and certificate chain automagically, in case they replaced the old files? Do I have to hup or restart smtpd? I'm not sure about a new key file[1], but for a renewed certificate chain[2], renewed for example by acme-client, no restart is necessary. If used you need to reload httpd and dovecot though! (On OpenBSD: rcctl reload httpd rcctl reload dovecot) [1] pki example.com key "/etc/ssl/example.com_Key.pem" [2] pki example.com cert "/etc/ssl/example.com_Fullchain.pem"
Re: restart necessary on certificate upgrade (letsencrypt)?
On 22/01/09 09:05AM, Harald Dunkel wrote: > Hi folks, > > I wonder if opensmtpd starts using new key and certificate chain > automagically, > in case they replaced the old files? Do I have to hup or restart smtpd? > > Hopefully I am not too blind to see, but apparently the man page doesn't tell. > > Regards > Harri > Hi, I am not very knowledgeable about your question, however, I have been hosting my opensmtp-powered email server for about a year now, and I never restart smptpd after certificate renewal. Nothing seemed to have broken by doing so. I do restart the IMAP server, dovecot in my case, though. Hope this helps. Hakan signature.asc Description: PGP signature
Re: restart necessary on certificate upgrade (letsencrypt)?
On Sun, 9 Jan 2022 at 11:47, Demi Marie Obenour wrote: > On 1/9/22 05:33, Rodolphe Bréard wrote: > > You have to restart it. > > > > In fact, I don't know any server that watches those files in order to > > reload them. As far as I know, most servers starts as root, loads the > > private key and the certificate into memory, then switch to an > > unprivileged user which cannot read those files. Such a workflow doesn't > > allow the feature you are asking for unless your certificate and key > > file are wildly accessible, which is so obviously insecure that some > > servers (OpenSMTPD is one of them) will refuse to start. > > OpenSMTPD could actually implement this feature, since the parent process > runs as root and can access the secret key. It could then send the key > to the correct child process via an imsg. An alternative would be for > smtpctl to support sending the secret key and certificate via the control > socket. > -- > Sincerely, > Demi Marie Obenour (she/her/hers) In most setups, the private key doesn't change when a certificate is renewed. You only get a new certificate for the same private key. And since the certificate is not sensitive, there is normally no problem with that being world readable. So while reloading the private key has some security issues to consider, reloading the certificate is quite easy and is sufficient for most if not all real world renewals. Kind regards, Maarten de Vries
Re: restart necessary on certificate upgrade (letsencrypt)?
On 1/9/22 05:33, Rodolphe Bréard wrote: > You have to restart it. > > In fact, I don't know any server that watches those files in order to > reload them. As far as I know, most servers starts as root, loads the > private key and the certificate into memory, then switch to an > unprivileged user which cannot read those files. Such a workflow doesn't > allow the feature you are asking for unless your certificate and key > file are wildly accessible, which is so obviously insecure that some > servers (OpenSMTPD is one of them) will refuse to start. OpenSMTPD could actually implement this feature, since the parent process runs as root and can access the secret key. It could then send the key to the correct child process via an imsg. An alternative would be for smtpctl to support sending the secret key and certificate via the control socket. -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: restart necessary on certificate upgrade (letsencrypt)?
On 09/01/2022 09:05, Harald Dunkel wrote: Hi folks, Hi! On 09/01/2022 09:05, Harald Dunkel wrote: I wonder if opensmtpd starts using new key and certificate chain automagically, in case they replaced the old files? Do I have to hup or restart smtpd? Hopefully I am not too blind to see, but apparently the man page doesn't tell. You have to restart it. In fact, I don't know any server that watches those files in order to reload them. As far as I know, most servers starts as root, loads the private key and the certificate into memory, then switch to an unprivileged user which cannot read those files. Such a workflow doesn't allow the feature you are asking for unless your certificate and key file are wildly accessible, which is so obviously insecure that some servers (OpenSMTPD is one of them) will refuse to start. Regards, -- Rodolphe Bréard https://rodolphe.breard.tf/ B229 CCD5 6900 91E7 D5D6 189F 09BC 23A1 D556 2635