Glad I could be of assistance.
Kind regards
Joachim
20.04.2025 20:06:36 Sviatoslav Feshchenko <sviatoslav.feshche...@proton.me>:
> My setup if very straightforward, with only one domain and set of
> certificates. So it works well enough for me.
>
> I look forward to check out your proposal to Debian. Hopefully it gets merged
> soon and make things easier in this respect.
>
> It would also be nice to have a professional tutorial on the chrony website
> using let's encrypt certificates. Maybe if Miroslav has some extra time and
> interest, I think that's something of value that can be added, or at least a
> link to such a tutorial.
>
> I don't think I'll have any issues with the permissions going forward either.
> Again, I tried with a forced renewal and it worked perfectly fine!
>
> Many many thanks to each of you for the assistance.
>
> Warm regards,
>
> Sviatoslav
>
>
> On Sunday, April 20th, 2025 at 1:47 PM, kr...@kaffeeschluerfer.com
> <kr...@kaffeeschluerfer.com> wrote:
>> Maybe one thing, probably not relevant for you (since you had previously
>> copied the pem files, and manually set the proper permissions on them): If
>> there aren't preexisting pem files with proper permissions in your
>> destination paths, the files that your approach would create from scratch
>> might not have the right permissions.
>>
>> Kind regards,
>>
>> Joachim
>>
>> 20.04.2025 19:40:44 kr...@kaffeeschluerfer.com:
>>
>>> No, there is no issue with the approach you outlined. My proposal to Debian
>>> just included a ready-made script that you could have used.
>>>
>>> But yours works fine as well. Some caveats, e.g., it would trigger, and do
>>> its stuff, on renewal of _every_ certificate on the system, e.g., if you
>>> have separate certificates for multiple domains, or different certs for
>>> chronyd and your web server for the same domain name. But if you don't have
>>> such "advanced" configurations, no issue (and many, if not most people,
>>> probably don't).
>>>
>>> Kind regards
>>>
>>> Joachim
>>>
>>> 20.04.2025 19:27:57 Sviatoslav Feshchenko <sviatoslav.feshche...@proton.me>:
>>>
>>>> Perhaps I am not fully understanding you. I just created a script in
>>>> /etc/letsencrypt/renewal-hooks/deploy directory with the following content:
>>>>
>>>> #!/bin/bash
>>>>
>>>> FULLCHAIN_PATH="${RENEWED_LINEAGE}/fullchain.pem"
>>>> PRIVKEY_PATH="${RENEWED_LINEAGE}/privkey.pem"
>>>>
>>>> cat "${FULLCHAIN_PATH}" > /etc/chrony/certs/fullchain.pem
>>>> cat "${PRIVKEY_PATH}" > /etc/chrony/certs/privkey.pem
>>>>
>>>> systemctl restart chronyd
>>>> systemctl restart gpsd
>>>>
>>>> Then I forced certificate renewal by issuing the following command:
>>>>
>>>> certbot renew --force-renewal
>>>>
>>>> I can confirm that the above script was executed upon successful renewal
>>>> and that chrony and gpsd were restarted and everything is working fine.
>>>> Are you then suggesting that auto renewal will not trigger this script? Is
>>>> there an issue with the approach outlined above?
>>>>
>>>> Many thanks for all your help!
>>>>
>>>> Sviatoslav
>>>>
>>>>
>>>> On Sunday, April 20th, 2025 at 12:53 PM, kr...@kaffeeschluerfer.com
>>>> <kr...@kaffeeschluerfer.com> wrote:
>>>>> Indeed the Debian packaging currently does not provide a script for
>>>>> certbot to call upon certificate renewal.
>>>>>
>>>>> The script goes in the deploy subfolder, and there is an entry in the
>>>>> /etc/default/chrony config file to indicate the certificate name upon
>>>>> whose renewal the script shall be called (actually, it is called for
>>>>> every renewal, but it only does stuff when the certificate name is the
>>>>> one configured).
>>>>>
>>>>> Kind regards,
>>>>>
>>>>> Joachim
>>>>>
>>>>> 20.04.2025 18:44:03 Sviatoslav Feshchenko
>>>>> <sviatoslav.feshche...@proton.me>:
>>>>>
>>>>>> …
>>>>
>
