From: Christian Heller Date: Sun, 9 Dec 2018 16:55:08 +0000 (+0100) Subject: Improve certificate renewal mechanism. X-Git-Url: https://plomlompom.com/repos/%7B%7Bprefix%7D%7D/ledger2?a=commitdiff_plain;h=fc8eea5a9cbbaa968330bf5240de18db7a374e42;p=config Improve certificate renewal mechanism. --- diff --git a/all_new_2018/linkable_etc_files/web/etc/cron.d/certbot b/all_new_2018/linkable_etc_files/web/etc/cron.d/certbot new file mode 100644 index 0000000..1fd8aaf --- /dev/null +++ b/all_new_2018/linkable_etc_files/web/etc/cron.d/certbot @@ -0,0 +1,17 @@ +# /etc/cron.d/certbot: crontab entries for the certbot package +# +# Upstream recommends attempting renewal twice a day +# +# Eventually, this will be an opportunity to validate certificates +# haven't been revoked, etc. Renewal will only occur if expiration +# is within 30 days. +SHELL=/bin/sh +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +# plomlompom added the --webroot -w /var/www/html/ so that renewal +# works with nginx running, and the nginx reload post-hook so that +# the new certificates are linked to by nginx. Note that by default +# we rely on the systemd timer service file instead of this cronjob, +# but since both are installed by the certbot package to serve which +# ever of the two is used, we cautiously adapt both of them too. +0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --webroot -w /var/www/html/ --post-hook "service nginx reload" diff --git a/all_new_2018/linkable_etc_files/web/etc/systemd/system/certbot.service b/all_new_2018/linkable_etc_files/web/etc/systemd/system/certbot.service index 122e7c1..0d20d1f 100644 --- a/all_new_2018/linkable_etc_files/web/etc/systemd/system/certbot.service +++ b/all_new_2018/linkable_etc_files/web/etc/systemd/system/certbot.service @@ -3,6 +3,9 @@ Description=Certbot Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html Documentation=https://letsencrypt.readthedocs.io/en/latest/ [Service] +# plomlompom added the --webroot -w /var/www/html/ so that renewal +# works with nginx running, and the nginx reload post-hook so that +# the new certificates are linked to by nginx. Type=oneshot -ExecStart=/usr/bin/certbot -q renew --webroot -w /var/www/html/ -PrivateTmp=true +ExecStart=/usr/bin/certbot -q renew --webroot -w /var/www/html/ --post-hook "service nginx reload" +PrivateTmp=true \ No newline at end of file