On 2023-01-09 Jeremy Harris via Exim-users <exim-users@???> wrote:
> On 09/01/2023 17:39, Andreas Metzler via Exim-users wrote:
[...]
>>> something changed how exim or openssl3 is handling the underlying
>>> certificate switch detection. As Exim had only a tiny minor switch, OpenSSL3
>>> is my personal candidate for this.
>> [...]
>> The major change in recentish time was in 4.95
>> 11. Faster TLS startup. When various configuration options contain no
>> expandable elements, the information can be preloaded and cached rather
>> than the provious behaviour of always loading at startup time for every
>> connection. This helps particularly for the CA bundle.
>>
>> I have also switch to restarting instead of HUP-ing my exim after cert
>> updates at some point because the old cert still showed up.
> Interesting. Is/are you cert(s) behind a symlink, from the place
> baked into the TLS library (which is what Exim monitors)?
> If so, you should pick up commits ef57b25bfa76, a1ec98dd9637
> "Symlink following for TLS creds files"
> These are post-4.96 so have not hit a release yet.
Hello Jeremy,
I have had this on my TODO, waiting for the next letsencrypt cert
update. I dropped the
"service exim4 stop ; sleep .2 ; service exim4 start"
from my post update script and checked whether exim now automatically
saw the new certs. It did. :-)
I am not symlinking my certs and since this was on Debian's 4.96-14~bpo11+1
neither of the two symlink-cert fixes are included. (I will consider
cherry-picking them anyway.) So it looks like something else was broken
at some point in time and is fixed again.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
