Renewing certificates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Renewing certificates

Kenneth Porter
I'm setting up certbot/letsencrypt to provide a certificate for dovecot and
sendmail. Is it necessary to restart dovecot to load the new certificate,
as shown in most examples I find in blogs? That seems rude to established
connections. When does dovecot read the cert and key files? Once at startup
or each time a connection requests SSL? Is there a preferred locking
protocol when changing the two files to keep dovecot from reading one while
the other is being replaced and getting a mismatched pair?
Reply | Threaded
Open this post in threaded view
|

Re: Renewing certificates

Aki Tuomi-2

> On December 26, 2017 at 11:42 PM Kenneth Porter <[hidden email]> wrote:
>
>
> I'm setting up certbot/letsencrypt to provide a certificate for dovecot and
> sendmail. Is it necessary to restart dovecot to load the new certificate,
> as shown in most examples I find in blogs? That seems rude to established
> connections. When does dovecot read the cert and key files? Once at startup
> or each time a connection requests SSL? Is there a preferred locking
> protocol when changing the two files to keep dovecot from reading one while
> the other is being replaced and getting a mismatched pair?

doveadm reload should be enough.

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Renewing certificates

Bill Shirley
I'm using acme.sh to get my Let's Encrypt certificates.  The install command is:
acme.sh --installcert -d imap.example.com \
         --keypath /etc/pki/dovecot/private/imap.example.com.pem \
         --certpath /etc/pki/dovecot/certs/imap.example.com.crt \
         --fullchainpath /etc/pki/dovecot/certs/imap.example.com.full.chain.crt \
         --reloadcmd     "systemctl reload dovecot.service"
Notice the --reloadcmd.

Bill

On 12/26/2017 6:16 PM, Aki Tuomi wrote:

>> On December 26, 2017 at 11:42 PM Kenneth Porter <[hidden email]> wrote:
>>
>>
>> I'm setting up certbot/letsencrypt to provide a certificate for dovecot and
>> sendmail. Is it necessary to restart dovecot to load the new certificate,
>> as shown in most examples I find in blogs? That seems rude to established
>> connections. When does dovecot read the cert and key files? Once at startup
>> or each time a connection requests SSL? Is there a preferred locking
>> protocol when changing the two files to keep dovecot from reading one while
>> the other is being replaced and getting a mismatched pair?
> doveadm reload should be enough.
>
> Aki

Reply | Threaded
Open this post in threaded view
|

Re: Renewing certificates

Kenneth Porter
--On Wednesday, December 27, 2017 9:24 AM -0500 Bill Shirley
<[hidden email]> wrote:

>  --reloadcmd     "systemctl reload dovecot.service"
> Notice the --reloadcmd.

Thanks. Some digging indicates that this is equivalent to doveadm reload.
Both paths ultimately send a SIGHUP to the server which initiates a full
reload of the configuration.

I'll be combining this with a restart of sendmail. Alas, I don't see a way
to get it to reload its configuration.


Reply | Threaded
Open this post in threaded view
|

Re: Renewing certificates

Joseph Tam-2
In reply to this post by Kenneth Porter
Kenneth Porter <[hidden email]> writes:

> Thanks. Some digging indicates that this is equivalent to doveadm reload.
> Both paths ultimately send a SIGHUP to the server which initiates a full
> reload of the configuration.
>
> I'll be combining this with a restart of sendmail. Alas, I don't see a way
> to get it to reload its configuration.

Should be the same way: send a SIGHUP signal to the parent process.

  http://etutorials.org/Server+Administration/Sendmail/Part+II+Administration/Chapter+14.+Signals+Transactions+and+Syslog/SIGHUP/

I'm not sure whether this will cause the sendmail worker processes to dump
their cients, but if it did, SMTP is fault tolerant enough that delivery
should be retried later.

Joseph Tam <[hidden email]>