Arnt Gulbrandsen
About meAbout this blog

Using letsencrypt certificates with archiveopteryx

That works, there's no problem at all. For a while. But aox reads certificates on startup, and is stable enough to run for months or years, longer than the lifetime of a letsencrypt certificate, so eventually it will use an expired certificate because it hasn't reread its configuration in the past three months.

I found a really nice unixy solution in incron, a linux-specific cron-like daemon that watches directories and runs programs when things happen in those directories. It's small, self-contained and easily debuggable, in the best unix tradition. Charming.

I installed incron using apt-get install incron and added a one-line file as /etc/incron.d/aox-restart: /etc/letsencrypt/live IN_CREATE /usr/local/archiveopteryx/bin/aox restart. I think it's probably best to watch the file the aox tls-certificate variable specifies, but I started with the entire …/live directory for ease of testing. That let me touch a file and see aox restart.

Now aox restarts instantly whenever certbot renews the TLS certificate.

It would be possible to leave existing IMAP connections running, but frankly I don't think that's worth the effort.