Hi !
Why just do that in the renewal-hook/post script ?
cp -L /etc/letsencrypt/live/time.hoerst.net/cert.pem /etc/chrony/cert/
cp -L /etc/letsencrypt/live/time.hoerst.net/privkey.pem /etc/chrony/cert/
chmod g+r /etc/chrony/cert/*
systemctl restart chrony
Ciao Gerd
Am 20.04.25 um 19:40 schrieb [email protected]:
No, there is no issue with the approach you outlined. My proposal to
Debian just included a ready-made script that you could have used.
But yours works fine as well. Some caveats, e.g., it would trigger,
and do its stuff, on renewal of _every_ certificate on the system,
e.g., if you have separate certificates for multiple domains, or
different certs for chronyd and your web server for the same domain
name. But if you don't have such "advanced" configurations, no issue
(and many, if not most people, probably don't).
Kind regards
Joachim
20.04.2025 19:27:57 Sviatoslav Feshchenko
<[email protected]>:
Perhaps I am not fully understanding you. I just created a script
in /etc/letsencrypt/renewal-hooks/deploy directory with the
following content:
#!/bin/bash
FULLCHAIN_PATH="${RENEWED_LINEAGE}/fullchain.pem"
PRIVKEY_PATH="${RENEWED_LINEAGE}/privkey.pem"
cat "${FULLCHAIN_PATH}" > /etc/chrony/certs/fullchain.pem
cat "${PRIVKEY_PATH}" > /etc/chrony/certs/privkey.pem
systemctl restart chronyd
systemctl restart gpsd
Then I forced certificate renewal by issuing the following command:
certbot renew --force-renewal
I can confirm that the above script was executed upon successful
renewal and that chrony and gpsd were restarted and everything is
working fine. Are you then suggesting that auto renewal will not
trigger this script? Is there an issue with the approach outlined
above?
Many thanks for all your help!
Sviatoslav
On Sunday, April 20th, 2025 at 12:53 PM,
[email protected] <[email protected]> wrote:
Indeed the Debian packaging currently does not provide a script
for certbot to call upon certificate renewal.
The script goes in the deploy subfolder, and there is an entry in
the /etc/default/chrony config file to indicate the certificate
name upon whose renewal the script shall be called (actually, it
is called for every renewal, but it only does stuff when the
certificate name is the one configured).
Kind regards,
Joachim
20.04.2025 18:44:03 Sviatoslav Feshchenko
<[email protected]>:
You are a good man! Thank you for doing that.
But this raises a question. Does that means that Debian 12
currently does not have the ability to execute these scripts
upon certificate renewal? I just checked and I have the
following directory present on the system:
|/etc/letsencrypt/renewal-hooks|
And inside of it, there are 3 sub-directories:
deploy
post
pre
I haven' tried yet, but if I place a script on the deploy
folder, would it not execute once the certificate is renewed?
Sviatoslav
On Sunday, April 20th, 2025 at 12:36 PM,
[email protected] <[email protected]> wrote:
This script can copy the certificates after renewal and
restart chrony, so it should be easy to automate this.
I proposed for such a certbot renewal hook script to be
included in the Debian package, maybe it is of use to you.
Works well for me so far, I only have minor update in the
pipeline to only restart chronyd when it is actually running.
https://salsa.debian.org/debian/chrony/-/merge_requests/14
Kind regards,
Joachim
20.04.2025 18:20:48 Sviatoslav Feshchenko
<[email protected]>:
Thank you James and Rob.
I think Rob is right. No matter what I did with
permission, it just didn't work. As a workaround, I
simply copied the certificates to a different directory
and chrony now loads the certificates without issues,
and I am now able to synchronize to the server using NTS!
Copying the certificates may be an acceptable solution,
because certbot offers pre and post validation hooks,
which will execute a script before/after renewal. This
script can copy the certificates after renewal and
restart chrony, so it should be easy to automate this.
Many many thanks!
Sviatoslav
On Sunday, April 20th, 2025 at 11:53 AM, Rob Janssen
<[email protected]> wrote:
…
