What's wrong with using a certbot "post-hook" script such as:
#!/bin/bash
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
if grep --quiet "your.email.domain" <<<
"$RENEWED_DOMAINS"; then
??? /usr/local/sbin/dovecot reload
?? /usr/sbin/postfix reload
fi
Daniel
On 9/11/2017 1:57 PM, Joseph Tam wrote:> <master at remort.net> writes:
>
>> "writing a script to check the certs" - there is no need to
write any
>> scripts. As one mentioned, it's done by a hook to certbot. Please
read
>> the manuals for LE or certbot. The issue you have is quite common and
>> of course certbot designed to do it for you.
>
> Won't work, of course, if you employ the least-privilege security
> principle
> and run the certbot as a non-privileged user.? You'll need a script
with
> administrator privileges to detect cert renewals and restart the service.
>
> I can't willy-nilly restart dovecot to pick up renewed certs without
> webmail disruptions.? (My webmail uses persistent IMAP sessions.)
> All users get dumped and need to re-authenticate.? If a user happens to
> be drafting a message that took 2 hours to compose, I will surely hear
> about it.? I should probably install a IMAP proxy to isolate the effects
> of restarts.? Most mail readers cope with restarts just fine, though.
>
> Joseph Tam <jtam.home at gmail.com>