The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0
Yesterday during the day my mailserver suddenly lost its certificate validity.
I'm running postfix/dovecot and the certificates used are the links in
/etc/letsencrypt/live/<domain/hostname>/cert.pem etc..
Although the valid certificate (expiring Apr 29, 2023) was already behind the link
the mailserver still hung on the old ceritificate, expiring Feb 28.
BTW, the expire date Feb 28, 2023 means from 0 a.m. of this day the cert has expired, right?
So, my question is, why did the mail server still use the old certificate?
Could it be that the file is opened or locked and thus the new file isn't used?
After rebooting the server all was fine. Would that mean that, whenever certbot is updating, I should run a script that restarts the mail server?
I just noticed that I already had this case opened in:
you should've added a renewal hook --renewal-hook to reload/restart your mailserver when you renew that. but not sure how one add hook on already running lineage. edit /etc/letsencrypt/renewal/${certname}.conf?
From version 2.3.0 and higher, Certbot supports the reconfigure subcommand which should allow you to add such parameters as the renewal hook without actually getting a new certificate (if there's no renewal pending).
Your version of 0.31.0 is ancient and I recommend upgrading to the newest version.
Certbot just procures certificates for you and puts them on disk. You have to instruct Certbot to restart or alert services about the new certificates. (If you use a Certbot plugin like apache or nginx, it should restart those automatically).
You will need renewal hooks that cover all services that use your certificate:
dovecot
postfix
potentially apache/nginx/etc if you have a webmail system installed on that domain