I'm setting up certbot/letsencrypt to provide a certificate for dovecot and sendmail. Is it necessary to restart dovecot to load the new certificate, as shown in most examples I find in blogs? That seems rude to established connections. When does dovecot read the cert and key files? Once at startup or each time a connection requests SSL? Is there a preferred locking protocol when changing the two files to keep dovecot from reading one while the other is being replaced and getting a mismatched pair?
> On December 26, 2017 at 11:42 PM Kenneth Porter <shiva at sewingwitch.com> wrote: > > > I'm setting up certbot/letsencrypt to provide a certificate for dovecot and > sendmail. Is it necessary to restart dovecot to load the new certificate, > as shown in most examples I find in blogs? That seems rude to established > connections. When does dovecot read the cert and key files? Once at startup > or each time a connection requests SSL? Is there a preferred locking > protocol when changing the two files to keep dovecot from reading one while > the other is being replaced and getting a mismatched pair?doveadm reload should be enough. Aki
I'm using acme.sh to get my Let's Encrypt certificates.? The install command is: acme.sh --installcert -d imap.example.com \ ??????? --keypath /etc/pki/dovecot/private/imap.example.com.pem \ ??????? --certpath /etc/pki/dovecot/certs/imap.example.com.crt \ ??????? --fullchainpath /etc/pki/dovecot/certs/imap.example.com.full.chain.crt \ ??????? --reloadcmd???? "systemctl reload dovecot.service" Notice the --reloadcmd. Bill On 12/26/2017 6:16 PM, Aki Tuomi wrote:>> On December 26, 2017 at 11:42 PM Kenneth Porter <shiva at sewingwitch.com> wrote: >> >> >> I'm setting up certbot/letsencrypt to provide a certificate for dovecot and >> sendmail. Is it necessary to restart dovecot to load the new certificate, >> as shown in most examples I find in blogs? That seems rude to established >> connections. When does dovecot read the cert and key files? Once at startup >> or each time a connection requests SSL? Is there a preferred locking >> protocol when changing the two files to keep dovecot from reading one while >> the other is being replaced and getting a mismatched pair? > doveadm reload should be enough. > > Aki