dovecot - Mar 2019 - Re: Am I right to assume certificate renewal with the same filename requires a dovecot reload/restart

On 3/14/19 9:55 AM, Patrick Cernko via dovecot wrote:
> [...] the way we have configured exim, it neither needs reload or 
> restart but reads the certificate file every time it has to use it.
What happens if you goof off in the middle of an opeartion, temporarily 
putting a wrong file instead of the new certificate, and exim starts 
delivering the new broken certificate right away ? or breaks ? or 
clients can't connect anymore with TLS ? or don't connect at all if you 
don't allow non-TLS connexions ?

Yassine.

On Thu, Mar 14, 2019, at 12:09 PM, Yassine Chaouche via dovecot
wrote:
> On 3/14/19 9:55 AM, Patrick Cernko via dovecot wrote:
> 
> > [...] the way we have configured exim, it neither needs reload or 
> > restart but reads the certificate file every time it has to use it.
> 
> What happens if you goof off in the middle of an opeartion, temporarily 
> putting a wrong file instead of the new certificate, and exim starts 
> delivering the new broken certificate right away ? or breaks ? or 
> clients can't connect anymore with TLS ? or don't connect at all if
you
> don't allow non-TLS connexions ?
> 
> Yassine.
> 
>
Getting caught in the middle of a cert file or key file update should not happen
-- a process that already opened a file will continue to be reading from that
file, even if it gets renamed.

But what if exim (or some other process) happens to read the "old"
certificate file - and then the "new" private key file (or vice
versa)?

A race condition like this seems unlikely but technically possible.

-- K

Hi Yassine, hi Kostya,

On 14.03.19 10:17, Kostya Vasilyev via dovecot wrote:
> On Thu, Mar 14, 2019, at 12:09 PM, Yassine Chaouche via dovecot wrote:
>> On 3/14/19 9:55 AM, Patrick Cernko via dovecot wrote:
>>
>>> [...] the way we have configured exim, it neither needs reload or
>>> restart but reads the certificate file every time it has to use it.
>>
>> What happens if you goof off in the middle of an opeartion, temporarily
>> putting a wrong file instead of the new certificate, and exim starts
>> delivering the new broken certificate right away ? or breaks ? or
>> clients can't connect anymore with TLS ? or don't connect at
all if you
>> don't allow non-TLS connexions ?
>>
First: It happens the same if I replace the file with a wrong cert AND 
reload another service deamon and then get interupted.
Second: I use ansible to push configurations and usually first push 
changes to a test system or only one machine.
Third: Server administration always has the risk of human error

;-)
> 
> Getting caught in the middle of a cert file or key file update should not
happen  -- a process that already opened a file will continue to be reading from
that file, even if it gets renamed.
> 
> But what if exim (or some other process) happens to read the
"old" certificate file - and then the "new" private key file
(or vice versa)?
> 
> A race condition like this seems unlikely but technically possible.
> 
We store cert and key together in one PEM file, thus we will always 
exchange both cert and key in one "atomic" operation.

Best,
-- 
Patrick Cernko <pcernko at mpi-klsb.mpg.de> +49 681 9325 5815
Joint Administration: Information Services and Technology
Max-Planck-Institute fuer Informatik & Softwaresysteme

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5324 bytes
Desc: S/MIME Cryptographic Signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190314/eeff8dab/attachment.p7s>