So this morning at 4am I was awoken to my mail clients getting certificate errors for an expired certificate. I hopped on to the server and checked and? no, the LE certs renewed last month and are valid until November. After some moments of confusion I noticed that dovecot had been running since before the renewal, so I did a quick service dovecot restart which fixed everything. Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files? Should I just create a monthly cron to restart dovecot or is there something else? -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Dovecot seems to load certificates into memory and don't refresh them until restart, or may be reload. And this is a correct logic. You better add restart/reload task to the LE cron job after the successful renewal of LE certificate. Check that it really works as it should. Dovecot shouldn't be restarted/reloaded if certificate wasn't changed. 2017-09-08 17:47 GMT+05:00 @lbutlr <kremels at kreme.com>:> So this morning at 4am I was awoken to my mail clients getting certificate errors for an expired certificate. > > I hopped on to the server and checked and? no, the LE certs renewed last month and are valid until November. > > After some moments of confusion I noticed that dovecot had been running since before the renewal, so I did a quick service dovecot restart which fixed everything. > > Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files? > > Should I just create a monthly cron to restart dovecot or is there something else? > > -- > Apple broke AppleScripting signatures in Mail.app, so no random signatures.
On 08-09-2017 09:47, @lbutlr wrote:> Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files? > > Should I just create a monthly cron to restart dovecot or is there something else?Dovecot needs a restart after the certificate is changed. certbot allows you to define hooks to be run after a certificate is renewed, so you could use that feature to restart dovecot after the renewal. Other clients might have similar features. -- While you recently had your problems on the run, they've regrouped and are making another attack. Eduardo M KALINOWSKI eduardo at kalinowski.com.br
On Fri, Sep 08, 2017 at 06:47:25AM -0600, @lbutlr wrote:>So this morning at 4am I was awoken to my mail clients getting certificate errors for an expired certificate. > >I hopped on to the server and checked and? no, the LE certs renewed last month and are valid until November. > >After some moments of confusion I noticed that dovecot had been running since before the renewal, so I did a quick service dovecot restart which fixed everything. > >Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files?As you're using dehydrated, I can share what I do. My hook script basically calls "run-parts /etc/dehydrated/hooks.d/" so I can just drop hook scripts into that directory. Then in the hooks.d directory, I have the following: #!/bin/bash set -e set -u set -o pipefail if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then echo " + Hook: Restarting Dovecot..." /usr/sbin/service dovecot restart fi That means that dovecot will be restarted only if the certificate for the mail server is being deployed. If dehydrated runs, but fails to renew the certificate, then dovecot won't be restarted. Similarly, if it renews a different certificate, dovecot won't be restarted. Hope that helps.> >Should I just create a monthly cron to restart dovecot or is there something else? > >-- >Apple broke AppleScripting signatures in Mail.app, so no random signatures.-- For more information, please reread. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 906 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20170908/93971fc9/attachment.sig>
On Sep 8, 2017, at 07:56, Darac Marjal <mailinglist at darac.org.uk> wrote:> #!/bin/bash > > set -e > set -u > set -o pipefail > > if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then > echo " + Hook: Restarting Dovecot..." > /usr/sbin/service dovecot restart > fi > > That means that dovecot will be restarted only if the certificate for the mail server is being deployed. If dehydrated runs, but fails to renew the certificate, then dovecot won't be restarted. Similarly, if it renews a different certificate, dovecot won't be restarted.That is a great solution, but I think it?s probably easier to just kick dovecot once a month. 4 4 4 * * service dovecot restart However, it seems like checking the certs is something that dovecot should be doing on its own. -- This is my signature. There are many like it, but this one is mine.
If you're using acme.sh: acme.sh --installcert -d imap.example.com \ ? --keypath /etc/pki/dovecot/private/imap.example.com.pem \ ? --certpath /etc/pki/dovecot/certs/imap.example.com.crt \ ? --fullchainpath /etc/pki/dovecot/certs/imap.example.com.full.chain.crt \ ? --reloadcmd??????????? "systemctl reload dovecot.service" HTH, Bill On 9/8/2017 9:56 AM, Darac Marjal wrote:> On Fri, Sep 08, 2017 at 06:47:25AM -0600, @lbutlr wrote: >> So this morning at 4am I was awoken to my mail clients getting certificate errors for an expired certificate. >> >> I hopped on to the server and checked and? no, the LE certs renewed last month and are valid until November. >> >> After some moments of confusion I noticed that dovecot had been running since before the renewal, so I did a quick service >> dovecot restart which fixed everything. >> >> Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the >> newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files? > > As you're using dehydrated, I can share what I do. My hook script basically calls "run-parts /etc/dehydrated/hooks.d/" so I > can just drop hook scripts into that directory. Then in the hooks.d directory, I have the following: > > ????#!/bin/bash > > ????set -e > ????set -u > ????set -o pipefail > > ????if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then > ??????????? echo " + Hook: Restarting Dovecot..." > ??????????? /usr/sbin/service dovecot restart > ????fi > > That means that dovecot will be restarted only if the certificate for the mail server is being deployed. If dehydrated runs, > but fails to renew the certificate, then dovecot won't be restarted. Similarly, if it renews a different certificate, dovecot > won't be restarted. > > Hope that helps. > > >> >> Should I just create a monthly cron to restart dovecot or is there something else? >> >> -- >> Apple broke AppleScripting signatures in Mail.app, so no random signatures. >