> On Oct 1, 2019, at 1:27 PM, Phil Stracchino <ph...@caerllewys.net> wrote:
>
> Here's now I fix that for ejabberd, which REQUIRES a single file:
>
> 30 6,18 * * * [[
> /etc/letsencrypt/live/www.caerllewys.net/privkey.pem -nt
> /etc/jabber/server.pem ]] && cat
> /etc/letsencrypt/live/www.caerllewys.net/privkey.pem
> /etc/letsencrypt/live/www.caerllewys.net/fullchain.pem >
> /etc/jabber/server.pem && ejabberdctl restart
>
> One could do something very similar for Postfix.
Not similar, because unlike "ejabberd" which probably reads
the cert and key only on startup, Postfix starts new smtpd(8)
and smtp(8) processes as needed, and these reload the cert
at unpredictable times.
Postfix does not need a "reload" to get fresh certs, but ideally
the cert file should be updated atomically (write a new file and
rename into place).
As of Postfix 3.4, if you place both the cert and key into the
same file, the file is opened just once to read both, avoiding
the race condition, provided the file is updated atomically.
--
Viktor.
