| Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt |
[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]
Indeed the Debian packaging currently does not provide a script for certbot to call upon certificate renewal.
The script goes in the deploy subfolder, and there is an entry in the /etc/default/chrony config file to indicate the certificate name upon whose renewal the script shall be called (actually, it is called for every renewal, but it only does stuff when the certificate name is the one configured).
Kind regards,
Joachim
20.04.2025 18:44:03 Sviatoslav Feshchenko <sviatoslav.feshchenko@xxxxxxxxx>:
You are a good man! Thank you for doing that.
But this raises a question. Does that means that Debian 12 currently does not have the ability to execute these scripts upon certificate renewal? I just checked and I have the following directory present on the system:/etc/letsencrypt/renewal-hooks
And inside of it, there are 3 sub-directories:
deploypostpre
I haven' tried yet, but if I place a script on the deploy folder, would it not execute once the certificate is renewed?
Sviatoslav
On Sunday, April 20th, 2025 at 12:36 PM, kross@xxxxxxxxxxxxxxxxxxxx <kross@xxxxxxxxxxxxxxxxxxxx> wrote:
This script can copy the certificates after renewal and restart chrony, so it should be easy to automate this.
I proposed for such a certbot renewal hook script to be included in the Debian package, maybe it is of use to you. Works well for me so far, I only have minor update in the pipeline to only restart chronyd when it is actually running.
https://salsa.debian.org/debian/chrony/-/merge_requests/14
Kind regards,
Joachim
20.04.2025 18:20:48 Sviatoslav Feshchenko <sviatoslav.feshchenko@xxxxxxxxx>:
Thank you James and Rob.
I think Rob is right. No matter what I did with permission, it just didn't work. As a workaround, I simply copied the certificates to a different directory and chrony now loads the certificates without issues, and I am now able to synchronize to the server using NTS!
Copying the certificates may be an acceptable solution, because certbot offers pre and post validation hooks, which will execute a script before/after renewal. This script can copy the certificates after renewal and restart chrony, so it should be easy to automate this.
Many many thanks!Sviatoslav
On Sunday, April 20th, 2025 at 11:53 AM, Rob Janssen <chrony-users@xxxxxxxxx> wrote:
Modern Linux systems often have something like SELinux which limits where certain programs can open files.
Just putting extra config files in "myfolder" isn't going to work, and the error messages can be misleading...
Rob
On 2025-04-20 14:58, Sviatoslav Feshchenko wrote:
Made a bit of progress with the issue. The server error log has the following entry after startup: "Could not set credentials : Error while reading file."
This means it can't read the certificate files.
Tried to change permissions using the following command:Whersetfacl -R -m u:_chrony:rwx myfoldermyfolderis the directory where the certificates are located.
Still not working, giving same error message.
What would be the correct way of giving chrony permissions to read the certificate files created by certbot, without breaking the web server? I am running Debian 12.
Many thanks!
Sviatoslav
On Saturday, April 19th, 2025 at 9:02 PM, Sviatoslav Feshchenko <sviatoslav.feshchenko@xxxxxxxxx> wrote:
…
| Mail converted by MHonArc 2.6.19+ | http://listengine.tuxfamily.org/ |