[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    [pfx] Re: server does not pick up new certificates
From:       Olivier via Postfix-users <postfix-users () postfix ! org>
Date:       2023-07-25 7:20:14
Message-ID: wu7r0owihjl.fsf () banyan ! cs ! ait ! ac ! th
[Download RAW message or body]

lejeczek via Postfix-users <postfix-users@postfix.org> writes:

> On 23/07/2023 22:44, Viktor Dukhovni via Postfix-users wrote:
>> On 23 Jul 2023, at 4:21 pm, Charles Sprickman via Postfix-users <postfix-users@postfix.org> wrote:
>>
>>> In the case of the dehydrated ACME client
>>> (https://github.com/dehydrated-io/dehydrated) there's an option to run
>>> a bunch of commands on successful update, including something like
>>> "postfix reload" - one could also insert an email or other command to
>>> note the update. I can't imagine other ACME clients don't offer a
>>> similar function...
>> The "certbot" ACME client offers post-hooks, but they're not "reliable".
>> If the hook fails or doesn't run, it won't be retried.  A robust
>> "post-hook" should have "at least once" semantics, its implementation
>> should be idempotent, ait and should be retried until it succeeds.
>>
> I have had those hooks doing 'postmap' for SNI map and then 
> I found myself in that situation as originally described 
> here - thus asking the list for I got quite confused, 
> thinking 'postfix' might be keeping those even closer to the 
> chest than what was obvious.
> But between the two - having more direct/dynamic pointers to 
> the certs/keys VS more secure 'postifx'(as guys explained) 
> as it is with lookup/cached tables - I'm thinking... that 
> certbot's hooks is what I'll keep using, only need to invest 
> more there.

I have developped my own solution, with a database backend. One script
update the certificates in the database (with certbot or acme.sh and DNS
authorization), other scripts upload the certificates on each server and
restart what need to be restarted.

It works well for Postfix, but also Apache, OpenLdap, Freeradius, VMware
ESXi,...

Olivier
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-leave@postfix.org
[prev in list] [next in list] [prev in thread] [next in thread]