dovecot - Sep 2017 - Dovecot and Letsencrypt certs

On Tue, 12 Sep 2017, dovecot-request at dovecot.org wrote:
> What's wrong with using a certbot "post-hook" script such as:
>
> #!/bin/bash
> echo "Letsencrypt renewal hook running..."
> echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
> echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
>
> if grep --quiet "your.email.domain" <<<
"$RENEWED_DOMAINS"; then
> ??? /usr/local/sbin/dovecot reload
> ?? /usr/sbin/postfix reload
> fi
Nothing, if you let your certbot run as root.  (I'm assuming that's
how these hooks work -- it's called after cert renewal using the same
credentials as the certbot.)

If you use privilege separation, and run the certbot as a regular user
process, this won't work.  You might have this scenario if, for example
using the context of web serving, you serve many virtual sites with
different owners, and you don't want give each owner administrative
access.

Joseph Tam <jtam.home at gmail.com>

On 13/09/2017 05:31, Joseph Tam wrote:
> On Tue, 12 Sep 2017, dovecot-request wrote:
> 
>> What's wrong with using a certbot "post-hook" script such
as:
>>
>> #!/bin/bash
>> echo "Letsencrypt renewal hook running..."
>> echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
>> echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
>>
>> if grep --quiet "your.email.domain" <<<
"$RENEWED_DOMAINS"; then
>> ??? /usr/local/sbin/dovecot reload
>> ?? /usr/sbin/postfix reload
>> fi
> 
> Nothing, if you let your certbot run as root.? (I'm assuming that's
> how these hooks work -- it's called after cert renewal using the same
> credentials as the certbot.)
> 
> If you use privilege separation, and run the certbot as a regular user
> process, this won't work.? You might have this scenario if, for example
> using the context of web serving, you serve many virtual sites with
> different owners, and you don't want give each owner administrative
> access.
There are options when running certbot as non-privileged user, such as 
sudo, inotifywait -s -e modify /path/to/bundle.pem && doveadm reload and
so on.

-- 
Adi Pircalabu