| Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt |
[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]
20.04.2025 20:06:36 Sviatoslav Feshchenko <sviatoslav.feshchenko@xxxxxxxxx>:
My setup if very straightforward, with only one domain and set of certificates. So it works well enough for me.
I look forward to check out your proposal to Debian. Hopefully it gets merged soon and make things easier in this respect.
It would also be nice to have a professional tutorial on the chrony website using let's encrypt certificates. Maybe if Miroslav has some extra time and interest, I think that's something of value that can be added, or at least a link to such a tutorial.
I don't think I'll have any issues with the permissions going forward either. Again, I tried with a forced renewal and it worked perfectly fine!
Many many thanks to each of you for the assistance.
Warm regards,Sviatoslav
On Sunday, April 20th, 2025 at 1:47 PM, kross@xxxxxxxxxxxxxxxxxxxx <kross@xxxxxxxxxxxxxxxxxxxx> wrote:
Maybe one thing, probably not relevant for you (since you had previously copied the pem files, and manually set the proper permissions on them): If there aren't preexisting pem files with proper permissions in your destination paths, the files that your approach would create from scratch might not have the right permissions.
Kind regards,
Joachim
20.04.2025 19:40:44 kross@xxxxxxxxxxxxxxxxxxxx:
No, there is no issue with the approach you outlined. My proposal to Debian just included a ready-made script that you could have used.
But yours works fine as well. Some caveats, e.g., it would trigger, and do its stuff, on renewal of _every_ certificate on the system, e.g., if you have separate certificates for multiple domains, or different certs for chronyd and your web server for the same domain name. But if you don't have such "advanced" configurations, no issue (and many, if not most people, probably don't).
Kind regards
Joachim
20.04.2025 19:27:57 Sviatoslav Feshchenko <sviatoslav.feshchenko@xxxxxxxxx>:
Perhaps I am not fully understanding you. I just created a script in /etc/letsencrypt/renewal-hooks/deploy directory with the following content:
#!/bin/bash
FULLCHAIN_PATH="${RENEWED_LINEAGE}/fullchain.pem"PRIVKEY_PATH="${RENEWED_LINEAGE}/privkey.pem"
cat "${FULLCHAIN_PATH}" > /etc/chrony/certs/fullchain..pemcat "${PRIVKEY_PATH}" > /etc/chrony/certs/privkey.pem
systemctl restart chronydsystemctl restart gpsd
Then I forced certificate renewal by issuing the following command:
certbot renew --force-renewal
I can confirm that the above script was executed upon successful renewal and that chrony and gpsd were restarted and everything is working fine. Are you then suggesting that auto renewal will not trigger this script? Is there an issue with the approach outlined above?
Many thanks for all your help!
Sviatoslav
On Sunday, April 20th, 2025 at 12:53 PM, kross@xxxxxxxxxxxxxxxxxxxx <kross@xxxxxxxxxxxxxxxxxxxx> wrote:
Indeed the Debian packaging currently does not provide a script for certbot to call upon certificate renewal.
The script goes in the deploy subfolder, and there is an entry in the /etc/default/chrony config file to indicate the certificate name upon whose renewal the script shall be called (actually, it is called for every renewal, but it only does stuff when the certificate name is the one configured).
Kind regards,
Joachim
20.04.2025 18:44:03 Sviatoslav Feshchenko <sviatoslav..feshchenko@xxxxxxxxx>:
…
| Mail converted by MHonArc 2.6.19+ | http://listengine.tuxfamily.org/ |