This seem like a simpler solution! Thank you for sharing! Sviatoslav
On Tuesday, April 22nd, 2025 at 3:32 AM, Gerd Hoerst <g...@hoerst.net> wrote: > Hi ! > > Why just do that in the renewal-hook/post script ? > > cp -L /etc/letsencrypt/live/time.hoerst.net/cert.pem /etc/chrony/cert/ > cp -L /etc/letsencrypt/live/time.hoerst.net/privkey.pem /etc/chrony/cert/ > chmod g+r /etc/chrony/cert/* > systemctl restart chrony > > Ciao Gerd > > Am 20.04.25 um 19:40 schrieb kr...@kaffeeschluerfer.com: > >> No, there is no issue with the approach you outlined. My proposal to Debian >> just included a ready-made script that you could have used. >> >> But yours works fine as well. Some caveats, e.g., it would trigger, and do >> its stuff, on renewal of _every_ certificate on the system, e.g., if you >> have separate certificates for multiple domains, or different certs for >> chronyd and your web server for the same domain name. But if you don't have >> such "advanced" configurations, no issue (and many, if not most people, >> probably don't). >> >> Kind regards >> >> Joachim >> >> 20.04.2025 19:27:57 Sviatoslav Feshchenko >> [<sviatoslav.feshche...@proton.me>](mailto:sviatoslav.feshche...@proton.me): >> >>> Perhaps I am not fully understanding you. I just created a script in >>> /etc/letsencrypt/renewal-hooks/deploy directory with the following content: >>> >>> #!/bin/bash >>> >>> FULLCHAIN_PATH="${RENEWED_LINEAGE}/fullchain.pem" >>> PRIVKEY_PATH="${RENEWED_LINEAGE}/privkey.pem" >>> >>> cat "${FULLCHAIN_PATH}" > /etc/chrony/certs/fullchain.pem >>> cat "${PRIVKEY_PATH}" > /etc/chrony/certs/privkey.pem >>> >>> systemctl restart chronyd systemctl restart gpsd >>> >>> Then I forced certificate renewal by issuing the following command: >>> >>> certbot renew --force-renewal >>> >>> I can confirm that the above script was executed upon successful renewal >>> and that chrony and gpsd were restarted and everything is working fine. Are >>> you then suggesting that auto renewal will not trigger this script? Is >>> there an issue with the approach outlined above? >>> >>> Many thanks for all your help! >>> >>> Sviatoslav >>> >>> On Sunday, April 20th, 2025 at 12:53 PM, kr...@kaffeeschluerfer.com >>> [<kr...@kaffeeschluerfer.com>](mailto:kr...@kaffeeschluerfer.com) wrote: >>> >>>> Indeed the Debian packaging currently does not provide a script for >>>> certbot to call upon certificate renewal. >>>> >>>> The script goes in the deploy subfolder, and there is an entry in the >>>> /etc/default/chrony config file to indicate the certificate name upon >>>> whose renewal the script shall be called (actually, it is called for every >>>> renewal, but it only does stuff when the certificate name is the one >>>> configured). >>>> >>>> Kind regards, >>>> >>>> Joachim >>>> >>>> 20.04.2025 18:44:03 Sviatoslav Feshchenko >>>> [<sviatoslav.feshche...@proton.me>](mailto:sviatoslav.feshche...@proton.me): >>>> >>>>> You are a good man! Thank you for doing that. >>>>> >>>>> But this raises a question. Does that means that Debian 12 currently does >>>>> not have the ability to execute these scripts upon certificate renewal? I >>>>> just checked and I have the following directory present on the system: >>>>> /etc/letsencrypt/renewal-hooks >>>>> >>>>> And inside of it, there are 3 sub-directories: >>>>> >>>>> deploy >>>>> post >>>>> pre >>>>> >>>>> I haven' tried yet, but if I place a script on the deploy folder, would >>>>> it not execute once the certificate is renewed? >>>>> >>>>> Sviatoslav >>>>> >>>>> On Sunday, April 20th, 2025 at 12:36 PM, kr...@kaffeeschluerfer.com >>>>> [<kr...@kaffeeschluerfer.com>](mailto:kr...@kaffeeschluerfer.com) wrote: >>>>> >>>>>>> This script can copy the certificates after renewal and restart chrony, >>>>>>> so it should be easy to automate this. >>>>>> >>>>>> I proposed for such a certbot renewal hook script to be included in the >>>>>> Debian package, maybe it is of use to you. Works well for me so far, I >>>>>> only have minor update in the pipeline to only restart chronyd when it >>>>>> is actually running. >>>>>> >>>>>> https://salsa.debian.org/debian/chrony/-/merge_requests/14 >>>>>> >>>>>> Kind regards, >>>>>> >>>>>> Joachim >>>>>> >>>>>> 20.04.2025 18:20:48 Sviatoslav Feshchenko >>>>>> [<sviatoslav.feshche...@proton.me>](mailto:sviatoslav.feshche...@proton.me): >>>>>> >>>>>>> Thank you James and Rob. >>>>>>> >>>>>>> I think Rob is right. No matter what I did with permission, it just >>>>>>> didn't work. As a workaround, I simply copied the certificates to a >>>>>>> different directory and chrony now loads the certificates without >>>>>>> issues, and I am now able to synchronize to the server using NTS! >>>>>>> >>>>>>> Copying the certificates may be an acceptable solution, because certbot >>>>>>> offers pre and post validation hooks, which will execute a script >>>>>>> before/after renewal. This script can copy the certificates after >>>>>>> renewal and restart chrony, so it should be easy to automate this. >>>>>>> >>>>>>> Many many thanks! >>>>>>> Sviatoslav >>>>>>> >>>>>>> On Sunday, April 20th, 2025 at 11:53 AM, Rob Janssen >>>>>>> [<chrony-us...@pe1chl.nl>](mailto:chrony-us...@pe1chl.nl) wrote: >>>>>>> >>>>>>>> …
