My setup if very straightforward, with only one domain and set of certificates.
So it works well enough for me.
I look forward to check out your proposal to Debian. Hopefully it gets merged
soon and make things easier in this respect.
It would also be nice to have a professional tutorial on the chrony website
using let's encrypt certificates. Maybe if Miroslav has some extra time and
interest, I think that's something of value that can be added, or at least a
link to such a tutorial.
I don't think I'll have any issues with the permissions going forward either.
Again, I tried with a forced renewal and it worked perfectly fine!
Many many thanks to each of you for the assistance.
Warm regards,
Sviatoslav
On Sunday, April 20th, 2025 at 1:47 PM, kr...@kaffeeschluerfer.com
<kr...@kaffeeschluerfer.com> wrote:
> Maybe one thing, probably not relevant for you (since you had previously
> copied the pem files, and manually set the proper permissions on them): If
> there aren't preexisting pem files with proper permissions in your
> destination paths, the files that your approach would create from scratch
> might not have the right permissions.
>
> Kind regards,
>
> Joachim
>
> 20.04.2025 19:40:44 kr...@kaffeeschluerfer.com:
>
>> No, there is no issue with the approach you outlined. My proposal to Debian
>> just included a ready-made script that you could have used.
>>
>> But yours works fine as well. Some caveats, e.g., it would trigger, and do
>> its stuff, on renewal of _every_ certificate on the system, e.g., if you
>> have separate certificates for multiple domains, or different certs for
>> chronyd and your web server for the same domain name. But if you don't have
>> such "advanced" configurations, no issue (and many, if not most people,
>> probably don't).
>>
>> Kind regards
>>
>> Joachim
>>
>> 20.04.2025 19:27:57 Sviatoslav Feshchenko <sviatoslav.feshche...@proton.me>:
>>
>>> Perhaps I am not fully understanding you. I just created a script in
>>> /etc/letsencrypt/renewal-hooks/deploy directory with the following content:
>>>
>>> #!/bin/bash
>>>
>>> FULLCHAIN_PATH="${RENEWED_LINEAGE}/fullchain.pem"
>>> PRIVKEY_PATH="${RENEWED_LINEAGE}/privkey.pem"
>>>
>>> cat "${FULLCHAIN_PATH}" > /etc/chrony/certs/fullchain.pem
>>> cat "${PRIVKEY_PATH}" > /etc/chrony/certs/privkey.pem
>>>
>>> systemctl restart chronydsystemctl restart gpsd
>>>
>>> Then I forced certificate renewal by issuing the following command:
>>>
>>> certbot renew --force-renewal
>>>
>>> I can confirm that the above script was executed upon successful renewal
>>> and that chrony and gpsd were restarted and everything is working fine. Are
>>> you then suggesting that auto renewal will not trigger this script? Is
>>> there an issue with the approach outlined above?
>>>
>>> Many thanks for all your help!
>>>
>>> Sviatoslav
>>>
>>> On Sunday, April 20th, 2025 at 12:53 PM, kr...@kaffeeschluerfer.com
>>> <kr...@kaffeeschluerfer.com> wrote:
>>>
>>>> Indeed the Debian packaging currently does not provide a script for
>>>> certbot to call upon certificate renewal.
>>>>
>>>> The script goes in the deploy subfolder, and there is an entry in the
>>>> /etc/default/chrony config file to indicate the certificate name upon
>>>> whose renewal the script shall be called (actually, it is called for every
>>>> renewal, but it only does stuff when the certificate name is the one
>>>> configured).
>>>>
>>>> Kind regards,
>>>>
>>>> Joachim
>>>>
>>>> 20.04.2025 18:44:03 Sviatoslav Feshchenko
>>>> <sviatoslav.feshche...@proton.me>:
>>>>
>>>>> You are a good man! Thank you for doing that.
>>>>>
>>>>> But this raises a question. Does that means that Debian 12 currently does
>>>>> not have the ability to execute these scripts upon certificate renewal? I
>>>>> just checked and I have the following directory present on the system:
>>>>> /etc/letsencrypt/renewal-hooks
>>>>>
>>>>> And inside of it, there are 3 sub-directories:
>>>>>
>>>>> deploy
>>>>> post
>>>>> pre
>>>>>
>>>>> I haven' tried yet, but if I place a script on the deploy folder, would
>>>>> it not execute once the certificate is renewed?
>>>>>
>>>>> Sviatoslav
>>>>>
>>>>> On Sunday, April 20th, 2025 at 12:36 PM, kr...@kaffeeschluerfer.com
>>>>> <kr...@kaffeeschluerfer.com> wrote:
>>>>>
>>>>>>> …
>>>>>>
>>>>>> I proposed for such a certbot renewal hook script to be included in the
>>>>>> Debian package, maybe it is of use to you. Works well for me so far, I
>>>>>> only have minor update in the pipeline to only restart chronyd when it
>>>>>> is actually running.
>>>>>>
>>>>>> https://salsa.debian.org/debian/chrony/-/merge_requests/14
>>>>>>
>>>>>> Kind regards,
>>>>>>
>>>>>> Joachim
>>>>>>
>>>>>> 20.04.2025 18:20:48 Sviatoslav Feshchenko
>>>>>> <sviatoslav.feshche...@proton.me>:
>>>>>>
>>>>>>> …
