DevHeads.net

Certificate Replacement

I am needing to replace the certificate and key. Are they read and cached when postfix starts, or are they read during normal mail handling? In other words, can I replace the files or do I need to do a reload or restart of the service afterwards?

-- Doug

Comments

Re: Certificate Replacement

By Philip Paeps at 04/12/2018 - 23:21

On 2018-04-12 16:25:21 (-0700), Doug Hardie wrote:
As pointed out, you don't need to restart (and usually don't even need
to reload) Postfix for the new keys and certificates to take effect.

However: do keep in mind that if you're using DANE and you're replacing
the keys, you need to allow enough time for the keys to roll over in the
DNS.

Unless you have a real need to change replace the keys (e.g. compromise,
policy), it may be easier to simply reissue the certificate without
generating new keys. In that case, you can use "3 1 1" TLSA records in
the DNS and you don't need to roll them when you're simply reissuing
your certificates.

Philip

Re: Certificate Replacement

By Viktor Dukhovni at 04/12/2018 - 23:26

For mistakes to avoid and the latest best practice key rotation approaches for DANE see:

<a href="https://dane.sys4.de/common_mistakes" title="https://dane.sys4.de/common_mistakes">https://dane.sys4.de/common_mistakes</a>
<a href="http://imrryr.org/~viktor/ICANN61-viktor.pdf" title="http://imrryr.org/~viktor/ICANN61-viktor.pdf">http://imrryr.org/~viktor/ICANN61-viktor.pdf</a>
<a href="http://imrryr.org/~viktor/icann61-viktor.mp3" title="http://imrryr.org/~viktor/icann61-viktor.mp3">http://imrryr.org/~viktor/icann61-viktor.mp3</a>

The original timing considerations are described in:

<a href="http://tools.ietf.org/html/rfc7671#section-8.1" title="http://tools.ietf.org/html/rfc7671#section-8.1">http://tools.ietf.org/html/rfc7671#section-8.1</a>
<a href="http://tools.ietf.org/html/rfc7671#section-8.4" title="http://tools.ietf.org/html/rfc7671#section-8.4">http://tools.ietf.org/html/rfc7671#section-8.4</a>

but the ideas in the ICANN61 slides incorporate more recent insights.

Re: Certificate Replacement

By Ian R. Bennett at 04/12/2018 - 19:29

On 2018-04-12 16:25, Doug Hardie wrote:
You'll need to restart postfix.

/i.

Re: Certificate Replacement

By Viktor Dukhovni at 04/12/2018 - 19:35

That's false. Each smtpd(8) process handles a limited number of
connections ($max_use, default 100) and exits. It also exits when
idle for sufficiently long ($max_idle, default 100s).

Since each smtpd(8) process reads the certificates for itself, unless
the cert/key rotation is extremely urgent (the current cert is
expired and causes problems, i.e. key rotation is too already too
late) there no need for a restart.

And even when the key rotation is urgent "postfix reload" is sufficient,
you don't need to restart. This allows existing connections to finish
gracefully.

Re: Certificate Replacement

By Ian R. Bennett at 04/12/2018 - 20:19

* Viktor Dukhovni (aka <a href="mailto:postfix- ... at dukhovni dot org">postfix- ... at dukhovni dot org</a>) used 1.0K on Thu, 12 Apr 2018 at 19:35 -0400 to say:
Well that's cool. Time to update my letsencrypt scripts then.

/i.

Re: Certificate Replacement

By Doug Hardie at 04/12/2018 - 20:01

That is even better. Thanks for the correction. Since the replacement is not time critical, the old certificates will have a few days validity remaining. One of those limits will certainly be reached by then.

-- Doug

Re: Certificate Replacement

By Doug Hardie at 04/12/2018 - 19:31

-- Doug

Thanks. I suspect then the best approach is to stop the service, replace the certificates, and then start the service again. That is what I am having to do for dovecot anyway.

-- Doug