albertito
commented
3 years ago chasquid currently does not support reloading certificates while running, it needs to be restarted to pick up the new ones. This was a conscious decision since implementing cert reloading would introduce significant complexity, for very little gain given how tolerant SMTP is, and how fast chasquid restarts.
chasquid launching a new instance of itself also gets complicated (due to privileged descriptor passing, etc.), that's why nowadays many daemons delegate these things to the launcher (like systemd), instead of trying to handle all this logic themselves (as was more common in the past).
I would, then, focus on ways to restart chasquid in your particular environment. If it had a /quit endpoint in the monitoring server, for example, would that help you? Do you run chasquid with something that would start it again if it dies, like systemd?
Thanks!
ThinkChaos
Hello, I hope 2020 hasn't treated you too horribly.
I've been using chasquid for a while with a custom docker setup, and my only nit left is when my certificate expires, chasquid doesn't reload it on its own. The solution recommended in the how-to is to use a certbot hook. Unfortunately I can't use that as is because certbot and chasquid run in different containers and only "communicate" via the shared certs directory.
I think adding a FS watcher is overkill (and I'm not even sure it would work across overlayfs/docker volumes), but maybe an HTTP endpoint would be fine. Because of my setup, the HTTP endpoint wouldn't need to be authenticated as I can not expose it to the internet, just to the docker network. So adding an insecure
/apiendpoint disabled by default could be a simple solution.Would you be willing to merge something like that? Or have a better idea?