Perhaps I am not fully understanding you. I just created a script in
/etc/letsencrypt/renewal-hooks/deploy directory with the following content:
#!/bin/bash
FULLCHAIN_PATH="${RENEWED_LINEAGE}/fullchain.pem"
PRIVKEY_PATH="${RENEWED_LINEAGE}/privkey.pem"
cat "${FULLCHAIN_PATH}" > /etc/chrony/certs/fullchain.pem
cat "${PRIVKEY_PATH}" > /etc/chrony/certs/privkey.pem
systemctl restart chronydsystemctl restart gpsd
Then I forced certificate renewal by issuing the following command:
certbot renew --force-renewal
I can confirm that the above script was executed upon successful renewal and
that chrony and gpsd were restarted and everything is working fine. Are you
then suggesting that auto renewal will not trigger this script? Is there an
issue with the approach outlined above?
Many thanks for all your help!
Sviatoslav
On Sunday, April 20th, 2025 at 12:53 PM, kr...@kaffeeschluerfer.com
<kr...@kaffeeschluerfer.com> wrote:
> Indeed the Debian packaging currently does not provide a script for certbot
> to call upon certificate renewal.
>
> The script goes in the deploy subfolder, and there is an entry in the
> /etc/default/chrony config file to indicate the certificate name upon whose
> renewal the script shall be called (actually, it is called for every renewal,
> but it only does stuff when the certificate name is the one configured).
>
> Kind regards,
>
> Joachim
>
> 20.04.2025 18:44:03 Sviatoslav Feshchenko <sviatoslav.feshche...@proton.me>:
>
>> You are a good man! Thank you for doing that.
>>
>> But this raises a question. Does that means that Debian 12 currently does
>> not have the ability to execute these scripts upon certificate renewal? I
>> just checked and I have the following directory present on the system:
>> /etc/letsencrypt/renewal-hooks
>>
>> And inside of it, there are 3 sub-directories:
>>
>> deploy
>> post
>> pre
>>
>> I haven' tried yet, but if I place a script on the deploy folder, would it
>> not execute once the certificate is renewed?
>>
>> Sviatoslav
>>
>> On Sunday, April 20th, 2025 at 12:36 PM, kr...@kaffeeschluerfer.com
>> <kr...@kaffeeschluerfer.com> wrote:
>>
>>>> This script can copy the certificates after renewal and restart chrony, so
>>>> it should be easy to automate this.
>>>
>>> I proposed for such a certbot renewal hook script to be included in the
>>> Debian package, maybe it is of use to you. Works well for me so far, I only
>>> have minor update in the pipeline to only restart chronyd when it is
>>> actually running.
>>>
>>> https://salsa.debian.org/debian/chrony/-/merge_requests/14
>>>
>>> Kind regards,
>>>
>>> Joachim
>>>
>>> 20.04.2025 18:20:48 Sviatoslav Feshchenko <sviatoslav.feshche...@proton.me>:
>>>
>>>> Thank you James and Rob.
>>>>
>>>> I think Rob is right. No matter what I did with permission, it just didn't
>>>> work. As a workaround, I simply copied the certificates to a different
>>>> directory and chrony now loads the certificates without issues, and I am
>>>> now able to synchronize to the server using NTS!
>>>>
>>>> Copying the certificates may be an acceptable solution, because certbot
>>>> offers pre and post validation hooks, which will execute a script
>>>> before/after renewal. This script can copy the certificates after renewal
>>>> and restart chrony, so it should be easy to automate this.
>>>>
>>>> Many many thanks!
>>>> Sviatoslav
>>>>
>>>> On Sunday, April 20th, 2025 at 11:53 AM, Rob Janssen
>>>> <chrony-us...@pe1chl.nl> wrote:
>>>>
>>>>> Modern Linux systems often have something like SELinux which limits where
>>>>> certain programs can open files.
>>>>> Just putting extra config files in "myfolder" isn't going to work, and
>>>>> the error messages can be misleading...
>>>>>
>>>>> Rob
>>>>>
>>>>> On 2025-04-20 14:58, Sviatoslav Feshchenko wrote:
>>>>>
>>>>>> Made a bit of progress with the issue. The server error log has the
>>>>>> following entry after startup: "Could not set credentials : Error while
>>>>>> reading file."
>>>>>>
>>>>>> This means it can't read the certificate files.
>>>>>>
>>>>>> Tried to change permissions using the following command:
>>>>>>
>>>>>> setfacl -R -m u:_chrony:rwx myfolder
>>>>>>
>>>>>> Wher myfolder is the directory where the certificates are located.
>>>>>>
>>>>>> Still not working, giving same error message.
>>>>>>
>>>>>> What would be the correct way of giving chrony permissions to read the
>>>>>> certificate files created by certbot, without breaking the web server? I
>>>>>> am running Debian 12.
>>>>>>
>>>>>> Many thanks!
>>>>>>
>>>>>> Sviatoslav
>>>>>>
>>>>>> On Saturday, April 19th, 2025 at 9:02 PM, Sviatoslav Feshchenko
>>>>>> [<sviatoslav.feshche...@proton.me>](mailto:sviatoslav.feshche...@proton.me)
>>>>>> wrote:
>>>>>>
>>>>>>> …
