On Fri, Apr 01, 2022 at 12:48:57AM +1000, Nikolai Lusan <niko...@lusan.id.au> wrote:
> Hey, > > On Wed, 2022-03-30 at 17:35 +1100, raf wrote: > > > > Postfix picks up new certificates soon enough > > (controlled by the max_idle and max_use parameters). > > > > Did you have smtpd_tls_chain_files set to an old > > key/cert, as well as smtpd_tls_cert_file and > > smtpd_tls_key_file set to the updated ones? Was that > > the cause? > > The process I use to update my certificates uses rsync to overwrite the > old certs/keys with the new ones. My thought process initially was that > restarting postfix would have it pick up the new files - eventually by > inspecting the relevant hash files I found copies of old certs in them > ... hence rebuilding the hash files on update. > > - -- > Nikolai Lusan <niko...@lusan.id.au> Thanks. It wouldn't have occurred to me to put keys/certs in a hash database, but I've only got one at a time. Checking the out-of-datedness of binary database files is important. There might have been warning messages in mail.log from postfix that it was out of date. I've seen such a warning recently, but I can't seem to produce one right now on my own server. So maybe I'm imagining things. cheers, raf
