Added automatic certificate renewal.

This commit is contained in:
Hans van Zijst 2024-12-04 11:29:34 +01:00
parent 0fe7ab4924
commit 51ebf2f053
Signed by: hans
GPG key ID: 43DBCC37BFDEFD72
2 changed files with 25 additions and 4 deletions

View file

@ -107,7 +107,7 @@ After=network.target
Restart=always Restart=always
User=www-data User=www-data
Group=www-data Group=www-data
#WorkingDirectory=/opt/lk-jwt-service WorkingDirectory=/etc/lk-jwt-service
EnvironmentFile=/etc/lk-jwt-service/config EnvironmentFile=/etc/lk-jwt-service/config
ExecStart=/usr/local/sbin/lk-jwt-service ExecStart=/usr/local/sbin/lk-jwt-service
@ -115,8 +115,7 @@ ExecStart=/usr/local/sbin/lk-jwt-service
WantedBy=multi-user.target WantedBy=multi-user.target
``` ```
Not sure about the `WorkingDirectory`, so it's commented out until it turns We read the options from `/etc/lk-jwt-service/config`,
out to be necessary. We read the options from `/etc/lk-jwt-service/config`,
which we make read-only for group `www-data` and non-accessible by anyone which we make read-only for group `www-data` and non-accessible by anyone
else. else.
@ -201,7 +200,7 @@ from the outside world.
The certificate files are not in the usual place under The certificate files are not in the usual place under
`/etc/letsencrypt/live`, see [DNS and `/etc/letsencrypt/live`, see [DNS and
certificate](../coturn/README.md#dnscert) why that is. certificate (coturn)](../coturn/README.md#dnscert) why that is.
The `xxx: xxxx` is the key and secret as generated before. The `xxx: xxxx` is the key and secret as generated before.

View file

@ -41,6 +41,28 @@ certbot certonly --nginx --agree-tos -m system@example.com --non-interactive -d
Substitute the correct e-mailaddress and FQDN, or course. Substitute the correct e-mailaddress and FQDN, or course.
## Automatic renewal {#certrenew}
Certificates have a limited lifetime, and need to be updated every once in a
while. This should be done automatically by Certbot, see if `systemctl
list-timers` lists `certbot.timer`.
However, renewing the certificate means you'll have to restart the software
that's using it. We have 2 or 3 pieces of software that use certificates:
[coturn](../cotorun) and/or [LiveKit](../livekit), and [nginx](../nginx).
Coturn/LiveKit are special with regards to the certificate, see their
respective pages. For nginx it's pretty easy: tell Letsencrypt to restart it
after a renewal.
You do this by adding this line to the \[renewalparams\] in
`/etc/letsencrypt/renewal/<certificate name>`:
```
renew_hook = systemctl try-reload-or-restart nginx
```
# Configuration # Configuration
Almost all traffic should be encrypted, so a redirect from http to https seems Almost all traffic should be encrypted, so a redirect from http to https seems