On 13/09/2017 05:31, Joseph Tam wrote:
On Tue, 12 Sep 2017, dovecot-request wrote:
What's wrong with using a certbot "post-hook" script such as:
#!/bin/bash
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
if grep --quiet "your.email.domain" <<< "$RENEWED_DOMAINS"; then
??? /usr/local/sbin/dovecot reload
?? /usr/sbin/postfix reload
fi
Nothing, if you let your certbot run as root. (I'm assuming that's
how these hooks work -- it's called after cert renewal using the same
credentials as the certbot.)
If you use privilege separation, and run the certbot as a regular user
process, this won't work. You might have this scenario if, for example
using the context of web serving, you serve many virtual sites with
different owners, and you don't want give each owner administrative
access.
There are options when running certbot as non-privileged user, such as
sudo, inotifywait -s -e modify /path/to/bundle.pem && doveadm reload and
so on.
--
Adi Pircalabu
