Hello Gerd,
Assuming that your intention is to run an NTS server at the domain you
shared as part of your example, just fyi that it is accepting TCP
connections, but it seems it is not accepting TLS connections on the
default NTS-KE port. In case you're running chronyd (strong likelihood
given the forum), in my experience, that can happen when chronyd is
not able to read one or more of the credential files, e.g., because
chronyd cannot find it/them in the place configured, or chronyd
doesn't have read rights for the file(s).
Kind regards,
Joachim
23.04.2025 11:37:09 kross@xxxxxxxxxxxxxxxxxxxx:
so why don't copy them before and give them the correct right ?
Sure, but why not let the deploy hook do that as well for you?
the hook is used to restart services
Yes, if that is all you tell it to do. But it can do more than that.
The deploy hook does whatever you tell it to do, as defined by the
script one places in the deploy subfolder.
Kind regards,
Joachim
23.04.2025 11:31:04 Gerd Hoerst <gerd@xxxxxxxxxx>:
Hi !
the hook is used to restart services (like apache/postfix/dovecot)
after a renewal (if there was no user right issue, you need also to
restart/reload chrony to use the new certs... so why don't copy them
before and give them the correct rights ?
Ciao Gerd
Am 22.04.25 um 23:51 schrieb kross@xxxxxxxxxxxxxxxxxxxx:
Why just do that in the renewal-hook/post script ?
Not sure I fully grasp your drift, so apologies if the following is
old news.
The point of the certbot renewal hook is automation of deployment.
Nothing wrong with manually keeping track of the validity of existing
certificates, e.g., periodically checking, setting a reminder
somewhere, having a tool that checks and alerts, or waiting until
someone or something alerts upon finding an expired certificate (as
you will have seen, Let's encrypt will cease sending reminders in the
near future). And then deploying manually (assuming certbot did an
automated renewal, or maybe do that manually as well).
But once the number of certificates to keep track of reaches a certain
level, or the thrill of learning the ropes, i.e., setting this up in
the first place, and going through the motions of deploying manually
after (manual or automated) renewal, diminishes after a few
iterations, automated deployment (after automated renewal) is your
friend.
As always, YMMV.
Kind regards,
Joachim
22.04.2025 22:50:06 Sviatoslav Feshchenko
<sviatoslav.feshchenko@xxxxxxxxx>:
This seem like a simpler solution! Thank you for sharing!
Sviatoslav
On Tuesday, April 22nd, 2025 at 3:32 AM, Gerd Hoerst
<gerd@xxxxxxxxxx> wrote:
Hi !
Why just do that in the renewal-hook/post script ?
cp -L /etc/letsencrypt/live/time.hoerst.net/cert.pem
/etc/chrony/cert/
cp -L /etc/letsencrypt/live/time.hoerst.net/privkey.pem
/etc/chrony/cert/
chmod g+r /etc/chrony/cert/*
systemctl restart chrony
Ciao Gerd
Am 20.04.25 um 19:40 schrieb kross@xxxxxxxxxxxxxxxxxxxx:
…