| Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt |
[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]
Maybe one thing, probably not relevant for you (since you had previously copied the pem files, and manually set the proper permissions on them): If there aren't preexisting pem files with proper permissions in your destination paths, the files that your approach would create from scratch might not have the right permissions.
Kind regards,
Joachim
20.04.2025 19:40:44 kross@xxxxxxxxxxxxxxxxxxxx:
No, there is no issue with the approach you outlined. My proposal to Debian just included a ready-made script that you could have used.
But yours works fine as well. Some caveats, e.g., it would trigger, and do its stuff, on renewal of _every_ certificate on the system, e.g., if you have separate certificates for multiple domains, or different certs for chronyd and your web server for the same domain name. But if you don't have such "advanced" configurations, no issue (and many, if not most people, probably don't).
Kind regards
Joachim
20.04.2025 19:27:57 Sviatoslav Feshchenko <sviatoslav.feshchenko@xxxxxxxxx>:
Perhaps I am not fully understanding you. I just created a script in /etc/letsencrypt/renewal-hooks/deploy directory with the following content:
#!/bin/bash
FULLCHAIN_PATH="${RENEWED_LINEAGE}/fullchain.pem"PRIVKEY_PATH="${RENEWED_LINEAGE}/privkey.pem"
cat "${FULLCHAIN_PATH}" > /etc/chrony/certs/fullchain.pemcat "${PRIVKEY_PATH}" > /etc/chrony/certs/privkey.pem
systemctl restart chronydsystemctl restart gpsd
Then I forced certificate renewal by issuing the following command:
certbot renew --force-renewal
I can confirm that the above script was executed upon successful renewal and that chrony and gpsd were restarted and everything is working fine. Are you then suggesting that auto renewal will not trigger this script? Is there an issue with the approach outlined above?
Many thanks for all your help!
Sviatoslav
On Sunday, April 20th, 2025 at 12:53 PM, kross@xxxxxxxxxxxxxxxxxxxx <kross@xxxxxxxxxxxxxxxxxxxx> wrote:
Indeed the Debian packaging currently does not provide a script for certbot to call upon certificate renewal.
The script goes in the deploy subfolder, and there is an entry in the /etc/default/chrony config file to indicate the certificate name upon whose renewal the script shall be called (actually, it is called for every renewal, but it only does stuff when the certificate name is the one configured).
Kind regards,
Joachim
20.04.2025 18:44:03 Sviatoslav Feshchenko <sviatoslav.feshchenko@xxxxxxxxx>:
You are a good man! Thank you for doing that.
But this raises a question. Does that means that Debian 12 currently does not have the ability to execute these scripts upon certificate renewal? I just checked and I have the following directory present on the system:/etc/letsencrypt/renewal-hooks
And inside of it, there are 3 sub-directories:
deploypostpre
I haven' tried yet, but if I place a script on the deploy folder, would it not execute once the certificate is renewed?
Sviatoslav
On Sunday, April 20th, 2025 at 12:36 PM, kross@xxxxxxxxxxxxxxxxxxxx <kross@xxxxxxxxxxxxxxxxxxxx> wrote:
…
I proposed for such a certbot renewal hook script to be included in the Debian package, maybe it is of use to you. Works well for me so far, I only have minor update in the pipeline to only restart chronyd when it is actually running.
https://salsa.debian.org/debian/chrony/-/merge_requests/14
Kind regards,
Joachim
20.04.2025 18:20:48 Sviatoslav Feshchenko <sviatoslav.feshchenko@xxxxxxxxx>:
…
| Mail converted by MHonArc 2.6.19+ | http://listengine.tuxfamily.org/ |