After renewal - should I move the certs?


#1

I am successfully renewing certificates on Ubuntu 16.04 using:
sudo letsencrypt renew

After the certs are created, I am currently manually moving them to the the /etc/ssl folder where my sites-available/default file finds them.

What is the correct approach to full automation?

  1. copy the certs to the /etc/ssl folder
  2. change the location of the folder where the certs are generated to /etc/ssl

I tried #2 by editing the /etc/letsencrypt/renewal/[mydomain].conf but I get the warning:
Renewal configuration file is broken.
I was careful to only change the location of the cert folder.

Advice?


#2

Ordinarily I would recommend configuring software to use the /etc/letsencrypt/live/ softlinks

If that’s not practical, or you don’t want to do it for some reason, copying makes next best sense. You can tell the client to run something (e.g. a shell script) each time it successfully obtains a certificate, and this code can take care of copying everything to a particular directory, restarting servers, playing a PCM audio recording of the single “Who Let The Dogs Out” or whatever. You should check if your copy of the letsencrypt script is new enough, as later versions (named Certbot) introduced new features.

sudo letsencrypt renew --post-hook "/run/some/script/by/thierce"

#3

Thanks tialaramex,
–post-hook looks good.
Using the /etc/letsencrypt/live/ links is not a problem and is working.
the --post-hook will let me do a restart afterwards - great.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.