Sent via the Samsung Galaxy A10e, an AT&T 4G LTE smartphone
-------- Original message --------From: Demi Marie Obenour
<demioben...@gmail.com> Date: 1/9/22 4:47 AM (GMT-06:00) To:
misc@opensmtpd.org Subject: Re: restart necessary on certificate upgrade
(letsencrypt)? On 1/9/22 05:33, Rodolphe Bréard wrote:> You have to restart
it.> > In fact, I don't know any server that watches those files in order to >
reload them. As far as I know, most servers starts as root, loads the > private
key and the certificate into memory, then switch to an > unprivileged user
which cannot read those files. Such a workflow doesn't > allow the feature you
are asking for unless your certificate and key > file are wildly accessible,
which is so obviously insecure that some > servers (OpenSMTPD is one of them)
will refuse to start.OpenSMTPD could actually implement this feature, since the
parent processruns as root and can access the secret key. It could then send
the keyto the correct child process via an imsg. An alternative would be
forsmtpctl to support sending the secret key and certificate via the
controlsocket.-- Sincerely,Demi Marie Obenour (she/her/hers)It wouldn't be a
trivial addition. I don't believe libevent has file watchers so you'd have to
hack your own or bring in more dependencies. Probably easier to just have cron
do your cert renewal and restart if necessary. Edgar
