Prosody (XMPP/Jabber) how automatize every 3 month certificate update

Hi Friends!
On a Debian9 VPS, using certbot for Prosody certs is quite easy:

prosodyctl --root cert import /etc/letsencrypt/live

but my question is:

Certbot for Debian9 come with a cron job that will renew existing certificates automatically:

Automating renewal

The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

$ sudo certbot renew --dry-run

so, which is the right way for tell "prosodyctl" the certificates change? So to run "prosodyctl --root cert.." only if there is a change / update of the certificate?

Many many thanks!

Davide

1 Like

Hi @danjde

you can use the

--deploy-hook

to do that.

https://certbot.eff.org/docs/using.html

--pre-hook and --post-hook hooks run before and after every renewal attempt. If you want your hook to run only after a successful renewal, use --deploy-hook in a command like this.

1 Like

Do you mean customizing/editing (adding the the “–deploy-hook” /path/to/script) the native (/etc/cron.d/certbot) certbot crontab?

Thanks again!

Davide

No. If you use the --deploy-hook option when requesting the certificate originally, or when renewing it manually with --force-renewal, then the command you supply will be stored in the renewal configuration file for that certificate (in /etc/letsencrypt/renewal/) and any future certbot renew command, including the one in the default crontab or systemd timer, will run it again automatically when that certificate is renewed. You do not need to modify the crontab itself.

1 Like

WAW wonderful!!
Certbot has been designed really well!

Many thanks to all!!

Davide

2 Likes

…sorry if I return to the subject but I would like to understand better which is the way you prefer.

for the same topic (Prosody certs) is it better to create a simple “bash” script that incorporates the command:

prosodyctl --root cert import /etc/letsencrypt/live

or to indicate the command for all its entirety:

certbot certonly --cert-name server.example.org --webroot -w /var/www/letsencrypt --email example@example.org --deploy-hook "/usr/bin/prosodyctl --root cert import /etc/letsencrypt/live" --expand -d server.example.org...

Many thanks again!

Davide

Either should work, and for a single short command like that I’m not sure there is a preferred way (perhaps a Certbot developer can contradict me).

You might prefer to use a script if you have a long or complex deployment procedure, or if you want to reuse the same procedure for different certificates.

1 Like

In my mind, the answer may depend on the process of:
[not familiar with this command]

If that can be run whenever/wherever without any concern, then it can stand on its' own and be run from cron (as often as you like | daily, hourly, weekly).

If it creates any real "impact" that you would want to occur only when absolutely needed (like stopping & then restarting a service), you would definitely want it attached to a --deploy-hook call.

1 Like

Sure, this is the wisest behavior :wink:

In practice, the "--post-hook" no longer makes sense with the introduction of the "--deploy-hook".
Or it makes sense to send notifications or minor things ..

They serve different purposes. --post-hook is mostly useful for undoing the effects of --pre-hook. For example, if you needed to temporarily open a port in your firewall before the renewal attempt, and close it again afterwards - you would want both things to happen whether the renewal actually succeeded or not. --deploy-hook on the other hand is for things you want to do only after a successful renewal, such as reloading a mail or chat server that will use the newly renewed certificate.

1 Like

Many thanks very very useful explanation!

:+1:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.