Dovecot seems to load certificates into memory and don't refresh them until restart, or may be reload. And this is a correct logic. You better add restart/reload task to the LE cron job after the successful renewal of LE certificate. Check that it really works as it should. Dovecot shouldn't be restarted/reloaded if certificate wasn't changed.
2017-09-08 17:47 GMT+05:00 @lbutlr <krem...@kreme.com>: > So this morning at 4am I was awoken to my mail clients getting certificate > errors for an expired certificate. > > I hopped on to the server and checked and… no, the LE certs renewed last > month and are valid until November. > > After some moments of confusion I noticed that dovecot had been running since > before the renewal, so I did a quick service dovecot restart which fixed > everything. > > Should dovecot check for certs being refreshed? Or is this an artifact of my > using symbolic links everywhere to point to the newest LE certs (which are > themselves links the dehydrate script creates to point to the newest > cert-1502534746.csr etc files? > > Should I just create a monthly cron to restart dovecot or is there something > else? > > -- > Apple broke AppleScripting signatures in Mail.app, so no random signatures.