Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

so why don't copy them before and give them the correct right ?

Sure, but why not let the deploy hook do that as well for you?


the hook is used to restart services

Yes, if that is all you tell it to do. But it can do more than that.

The deploy hook does whatever you tell it to do, as defined by the script one places in the deploy subfolder.

Kind regards,

Joachim

23.04.2025 11:31:04 Gerd Hoerst <gerd@xxxxxxxxxx>:

Hi !

the hook is used to restart services (like apache/postfix/dovecot) after a renewal (if there was no user right issue, you need also to restart/reload chrony to use the new certs... so why don't copy them before and give them the correct rights ?

Ciao Gerd

Am 22.04.25 um 23:51 schrieb kross@xxxxxxxxxxxxxxxxxxxx:
Why just do that in the renewal-hook/post script ?

Not sure I fully grasp your drift, so apologies if the following is old news.

The point of the certbot renewal hook is automation of deployment.

Nothing wrong with manually keeping track of the validity of existing certificates, e.g., periodically checking, setting a reminder somewhere, having a tool that checks and alerts, or waiting until someone or something alerts upon finding an expired certificate (as you will have seen, Let's encrypt will cease sending reminders in the near future). And then deploying manually (assuming certbot did an automated renewal, or maybe do that manually as well).

But once the number of certificates to keep track of reaches a certain level, or the thrill of learning the ropes, i.e., setting this up in the first place, and going through the motions of deploying manually after (manual or automated) renewal, diminishes after a few iterations, automated deployment (after automated renewal) is your friend.

As always, YMMV.

Kind regards,

Joachim

22.04.2025 22:50:06 Sviatoslav Feshchenko <sviatoslav.feshchenko@xxxxxxxxx>:

This seem like a simpler solution! Thank you for sharing!

Sviatoslav

On Tuesday, April 22nd, 2025 at 3:32 AM, Gerd Hoerst <gerd@xxxxxxxxxx> wrote:

Hi !

Why just do that in the renewal-hook/post script ?

cp -L /etc/letsencrypt/live/time.hoerst.net/cert.pem /etc/chrony/cert/
cp -L /etc/letsencrypt/live/time.hoerst.net/privkey.pem /etc/chrony/cert/
chmod g+r /etc/chrony/cert/*
systemctl restart chrony

Ciao Gerd

Am 20.04.25 um 19:40 schrieb kross@xxxxxxxxxxxxxxxxxxxx:
No, there is no issue with the approach you outlined. My proposal to Debian just included a ready-made script that you could have used.

But yours works fine as well. Some caveats, e.g., it would trigger, and do its stuff, on renewal of _every_ certificate on the system, e.g., if you have separate certificates for multiple domains, or different certs for chronyd and your web server for the same domain name. But if you don't have such "advanced" configurations, no issue (and many, if not most people, probably don't).

Kind regards

Joachim

20.04.2025 19:27:57 Sviatoslav Feshchenko <sviatoslav.feshchenko@xxxxxxxxx>:



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/