On 6/9/20 3:20 AM, Mike Simpson via devel wrote: > As you only get a 90 day very from LE I now have a cron job after the > “certbot renew” which copies the keys over and chown them. It feels clunky.
Use a deploy hook. I wrote the attached one for Debian. Note that Debian
uses user "ntpsec" and group "ntpsec". Change that to "ntp" and "ntp"
for other environments.
Install the script (marking it executable) as:
/etc/letsencrypt/renewal-hooks/deploy/ntpsec
Then set NTPSEC_CERTBOT_CERT_NAME="your.cert.hostname" in
/etc/default/ntpsec (or edit the script).
--
Richard
#!/bin/sh -eu
# vim: ai ts=4 sts=4 et sw=4
if [ -r /etc/default/ntpsec ]
then
. /etc/default/ntpsec
fi
if [ -z "${NTPSEC_CERTBOT_CERT_NAME-}" ]
then
exit 0
fi
# If the certificate being deployed is not the one for ntpd, exit.
found=0
for domain in "$RENEWED_DOMAINS"
do
if [ "$domain" = "$NTPSEC_CERTBOT_CERT_NAME" ]
then
found=1
fi
done
if [ "$found" = "0" ]
then
exit 0
fi
# Copy the certificate (including chain) and key to ntpd can read them
# after dropping privileges.
install -m 644 /etc/letsencrypt/live/"$NTPSEC_CERTBOT_CERT_NAME"/fullchain.pem \
/etc/ntpsec/cert-chain.pem
install -m 640 -g ntpsec \
/etc/letsencrypt/live/"$NTPSEC_CERTBOT_CERT_NAME"/privkey.pem \
/etc/ntpsec/key.pem
# Tell ntpd to reload the certificate and key.
killall -HUP ntpd 2>/dev/null || true
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
