Aggregator
Automatically Renew Certbot Certificates With systemd Timers
It could be tiresome to have to manually renew your Let’s Encrypt certificates using Certbot on your VPSs every few months. This gets increasingly frustrating as you have more services and thus, more certificates to renew. Having to renew them manually is also quite detrimental to the scalability of your services and infrastructure. Therefore, there emerges a need to enable the certificates to self-renew. This article will introduce a relatively new way to perform automatic certificate renewal with systemd timers instead of traditional ways such as crontab.
Why? Because on a system with systemd, it is easier to have everything managed through systemd.
In order to achieve auto-renewal of certificates, we will need to write two systemd unit files: a service unit which defines what to execute, and a timer which defines when to execute.
Writing a Service UnitIn simple terms, the systemd service file defines the commands to be executed for the certificate renewal. You can think of it to be similar to a script. Here are some noteworthy points:
- Type=oneshot: This option makes the service unit behave more like a script. The unit will not become a daemon, and you can define multiple ExecStart entries which will execute in serial. If any of the entries fail, the unit is considered failed.
- The first ExecStart: Launches Certbot in -n (non-interactive) mode to renew the certificates. More arguments can be added as needed.
- The second ExecStart: Optional. Certbot needs to listen on port 80 for web-based authentication. Since port 80 is a privileged port, Certbot needs to run with root privileges. However, this means that the certificates saved will be owned by root:root. This second command yields the ownership of the certificates. You can modify this command as needed.
- The third ExecStart: Restart the service(s) using the expiring certificates so they can load in the refreshed certificate. reload might also be supported by some services as a more graceful version than restart.
This example below is written for one of my matrix-synapse servers. Since Certbot requires root privileges to listen on port 80 to renew the certificates, the renewed certificates it releases into /etc/letsencrypt are also owned by root:root. My coarse solution for this problem is to simply use a chown command to yield the ownership of the needed directories to the service’s group ssl-cert per the conventions. The user matrix-synapse is a member of the ssl-cert group, which gives it access to the certificates and keys.
Of course, should you have multiple services running on the same server or just wish to have more fine-grained permissions, you can always design a more intricate chown command or seek an alternative solution for the permissions. I am merely demonstrating the bare minimums here.
Another thing worth mentioning is that if you have Certbot installed via pip (not that you should) instead of a package manager, Certbot will be at /usr/local/bin/certbot instead of /usr/bin/certbot.
1 2 3 4 5 6 7 8 9 10 11 12 13 [Unit] Description=Renew Certbot certificates Wants=certbot-renew.timer [Service] Type=oneshot WorkingDirectory=/etc/letsencrypt ExecStart=/usr/bin/certbot renew --standalone -n ExecStart=/usr/bin/chown root:ssl-cert -R /etc/letsencrypt/archive /etc/letsencrypt/live ExecStart=/usr/bin/systemctl restart matrix-synapse [Install] WantedBy=multi-user.targetUnit file: /etc/systemd/system/certbot-renew.service
Writing a Timer UnitThe timer file controls when/how often the service file is executed.
- OnCalendar=daily: Denotes that the service file above should be executed on a daily basis.
- Persistent=true: The last time the timer is ran is stored on disk. If for whatever reason (e.g, power-off) the timer was not executed on-time, it will be executed immediately when the timer is next loaded.
Unit file: /etc/systemd/system/certbot-renew.timer
- https://k4yt3x.com/automatically-renew-certbot-certificates-with-systemd-timers/ - 2019-2024 K4YT3X. All rights reserved.【漏洞通报】ThinkPHP3.2.x RCE漏洞通报
ql query for CVE-2021-30660 XNU Kernel Memory Disclosure
ARM平台VMP保护开发入门 - 我是小三
区块链链上追踪基础篇【上】:地址标签入门
ARM平台VMP保护开发入门
Give me your app - Schemeflood攻击
腾讯 SOAR 的安全运营探索
The first Certified Cyber Professional (CCP) Specialism is now live!
RCE Possible via Microsoft Print Spooler
不会免杀?看我异或加密如何做到 VT 全免杀
全补丁域森林5秒沦陷?加密升级之信任雪崩
Microsoft Urges Customers to Update Windows as Soon as Possible
What happened Microsoft has shipped an emergency security update affecting most Windows users. This update partially addresses a security vulnerability known as PrintNightmare that could allow...
The post Microsoft Urges Customers to Update Windows as Soon as Possible appeared first on McAfee Blog.
SHELLPUB 升级维护公告
知难而「进」:西安交大钱院分享Q&A
Akamai Helps Q-dance Bring Its Tribe to Defqon.1 at Home -- a Global Virtual Festival Experience
利用 CloudFront 中继 Cobalt Strike 流量
Kaseya Ransomware Attack
The Ultimate Guide to Safe Sharing Online
We live in a world that thrives on digital connectivity. According to We Are Social, Canadians are now spending half a day more...
The post The Ultimate Guide to Safe Sharing Online appeared first on McAfee Blog.