0

Recently I upgraded Letsencrypt certs but forgot to restart sendmail. Is there an option in sendmail checking the cert files updated? The starttls.m4 contains this:

define(`CERT_DIR', `/etc/letsencrypt/live/xyz')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/fullchain.pem')
define(`confSERVER_CERT', `CERT_DIR/cert.pem')
define(`confSERVER_KEY', `CERT_DIR/privkey.pem')
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')
define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')

PS: I know how to reload a service but I am wondering if a service might to be aware of this and specifically if sendmail is.

Thomas
  • 159
  • 6
  • Certbot provides a renew-hook that allows you to restart services after a certificate has been renewed. – Gerald Schneider Jun 15 '20 at 08:27
  • Does this answer your question? [Let's Encrypt certificate renewed, but the site delivers the old one](https://serverfault.com/questions/815672/lets-encrypt-certificate-renewed-but-the-site-delivers-the-old-one) – Gerald Schneider Jun 15 '20 at 08:27
  • Here is a script I use for my renew hook: https://serverfault.com/questions/868900/email-server-configuration-still-complaining-the-connection-isnt-secure/868919#868919 – Gerald Schneider Jun 15 '20 at 08:28
  • Thanks for your hint, why not as answer? If you need such a script my question is answered with no. – Thomas Jun 15 '20 at 08:35
  • because it is not an answer to your question, it's just the common method to handle let's encrypt renews. I am not familiar with sendmail, so I can't answer if it has the ability or not. My gut feeling is no, but only because I never encountered any service that checks if certificate files have changed. It just doesn't make sense to program them that way, since certificates usually only change every couple of years. – Gerald Schneider Jun 15 '20 at 08:40

0 Answers0