On 10/1/19 1:34 PM, Viktor Dukhovni wrote: > Not similar, because unlike "ejabberd" which probably reads > the cert and key only on startup, Postfix starts new smtpd(8) > and smtp(8) processes as needed, and these reload the cert > at unpredictable times. > > Postfix does not need a "reload" to get fresh certs, but ideally > the cert file should be updated atomically (write a new file and > rename into place). > > As of Postfix 3.4, if you place both the cert and key into the > same file, the file is opened just once to read both, avoiding > the race condition, provided the file is updated atomically.
And actually, I just revisited my certbot configuration. When last I updated it, hooks didn't seem to work properly. Now they do, and the deed can be accomplished by creating a one-liner such as the following in /etc/letsencrypt/renewal-hooks/deploy: #!/bin/sh cat /etc/letsencrypt/live/DOMAIN/privkey.pem /etc/letsencrypt/live/DOMAIN/fullchain.pem > /destpath/COMBINED-STAGE.pem mv /destpath/COMBINED-STAGE.pem /destpath/COMBINED-LIVE.pem -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958
