From 51ebf2f053e629d59297b29d04da37d335b189d4 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Wed, 4 Dec 2024 11:29:34 +0100 Subject: [PATCH] Added automatic certificate renewal. --- matrix/element-call/README.md | 7 +++---- matrix/nginx/README.md | 22 ++++++++++++++++++++++ 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/matrix/element-call/README.md b/matrix/element-call/README.md index 71b03c6..f032b78 100644 --- a/matrix/element-call/README.md +++ b/matrix/element-call/README.md @@ -107,7 +107,7 @@ After=network.target Restart=always User=www-data Group=www-data -#WorkingDirectory=/opt/lk-jwt-service +WorkingDirectory=/etc/lk-jwt-service EnvironmentFile=/etc/lk-jwt-service/config ExecStart=/usr/local/sbin/lk-jwt-service @@ -115,8 +115,7 @@ ExecStart=/usr/local/sbin/lk-jwt-service WantedBy=multi-user.target ``` -Not sure about the `WorkingDirectory`, so it's commented out until it turns -out to be necessary. We read the options from `/etc/lk-jwt-service/config`, +We read the options from `/etc/lk-jwt-service/config`, which we make read-only for group `www-data` and non-accessible by anyone else. @@ -201,7 +200,7 @@ from the outside world. The certificate files are not in the usual place under `/etc/letsencrypt/live`, see [DNS and -certificate](../coturn/README.md#dnscert) why that is. +certificate (coturn)](../coturn/README.md#dnscert) why that is. The `xxx: xxxx` is the key and secret as generated before. diff --git a/matrix/nginx/README.md b/matrix/nginx/README.md index 16b1f89..122bd59 100644 --- a/matrix/nginx/README.md +++ b/matrix/nginx/README.md @@ -41,6 +41,28 @@ certbot certonly --nginx --agree-tos -m system@example.com --non-interactive -d Substitute the correct e-mailaddress and FQDN, or course. +## Automatic renewal {#certrenew} + +Certificates have a limited lifetime, and need to be updated every once in a +while. This should be done automatically by Certbot, see if `systemctl +list-timers` lists `certbot.timer`. + +However, renewing the certificate means you'll have to restart the software +that's using it. We have 2 or 3 pieces of software that use certificates: +[coturn](../cotorun) and/or [LiveKit](../livekit), and [nginx](../nginx). + +Coturn/LiveKit are special with regards to the certificate, see their +respective pages. For nginx it's pretty easy: tell Letsencrypt to restart it +after a renewal. + +You do this by adding this line to the \[renewalparams\] in +`/etc/letsencrypt/renewal/`: + +``` +renew_hook = systemctl try-reload-or-restart nginx +``` + + # Configuration Almost all traffic should be encrypted, so a redirect from http to https seems