Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

Hello Gerd,

Assuming that your intention is to run an NTS server at the domain you shared as part of your example, just fyi that it is accepting TCP connections, but it seems it is not accepting TLS connections on the default NTS-KE port. In case you're running chronyd (strong likelihood given the forum), in my experience,  that can happen when chronyd is not able to read one or more of the credential files, e.g., because chronyd cannot find it/them in the place configured, or chronyd doesn't have read rights for the file(s).

Kind regards,

Joachim

23.04.2025 11:37:09 kross@xxxxxxxxxxxxxxxxxxxx:

so why don't copy them before and give them the correct right ?

Sure, but why not let the deploy hook do that as well for you?


the hook is used to restart services

Yes, if that is all you tell it to do. But it can do more than that.

The deploy hook does whatever you tell it to do, as defined by the script one places in the deploy subfolder.

Kind regards,

Joachim

23.04.2025 11:31:04 Gerd Hoerst <gerd@xxxxxxxxxx>:

Hi !

the hook is used to restart services (like apache/postfix/dovecot) after a renewal (if there was no user right issue, you need also to restart/reload chrony to use the new certs... so why don't copy them before and give them the correct rights ?

Ciao Gerd

Am 22.04.25 um 23:51 schrieb kross@xxxxxxxxxxxxxxxxxxxx:
Why just do that in the renewal-hook/post script ?

Not sure I fully grasp your drift, so apologies if the following is old news.

The point of the certbot renewal hook is automation of deployment.

Nothing wrong with manually keeping track of the validity of existing certificates, e.g., periodically checking, setting a reminder somewhere, having a tool that checks and alerts, or waiting until someone or something alerts upon finding an expired certificate (as you will have seen, Let's encrypt will cease sending reminders in the near future). And then deploying manually (assuming certbot did an automated renewal, or maybe do that manually as well).

But once the number of certificates to keep track of reaches a certain level, or the thrill of learning the ropes, i.e., setting this up in the first place, and going through the motions of deploying manually after (manual or automated) renewal, diminishes after a few iterations, automated deployment (after automated renewal) is your friend.

As always, YMMV.

Kind regards,

Joachim

22.04.2025 22:50:06 Sviatoslav Feshchenko <sviatoslav.feshchenko@xxxxxxxxx>:

This seem like a simpler solution! Thank you for sharing!

Sviatoslav

On Tuesday, April 22nd, 2025 at 3:32 AM, Gerd Hoerst <gerd@xxxxxxxxxx> wrote:

Hi !

Why just do that in the renewal-hook/post script ?

cp -L /etc/letsencrypt/live/time.hoerst.net/cert.pem /etc/chrony/cert/
cp -L /etc/letsencrypt/live/time.hoerst.net/privkey.pem /etc/chrony/cert/
chmod g+r /etc/chrony/cert/*
systemctl restart chrony

Ciao Gerd

Am 20.04.25 um 19:40 schrieb kross@xxxxxxxxxxxxxxxxxxxx:


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/