Prosody (XMPP/Jabber) how automatize every 3 month certificate update


#1

Hi Friends!
On a Debian9 VPS, using certbot for Prosody certs is quite easy:

prosodyctl --root cert import /etc/letsencrypt/live

but my question is:

Certbot for Debian9 come with a cron job that will renew existing certificates automatically:

Automating renewal

The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

$ sudo certbot renew --dry-run

so, which is the right way for tell “prosodyctl” the certificates change? So to run “prosodyctl --root cert…” only if there is a change / update of the certificate?

Many many thanks!

Davide


#2

Hi @danjde

you can use the

--deploy-hook

to do that.

--pre-hook and --post-hook hooks run before and after every renewal attempt. If you want your hook to run only after a successful renewal, use --deploy-hook in a command like this.


#3

Do you mean customizing/editing (adding the the “–deploy-hook” /path/to/script) the native (/etc/cron.d/certbot) certbot crontab?

Thanks again!

Davide


#4

No. If you use the --deploy-hook option when requesting the certificate originally, or when renewing it manually with --force-renewal, then the command you supply will be stored in the renewal configuration file for that certificate (in /etc/letsencrypt/renewal/) and any future certbot renew command, including the one in the default crontab or systemd timer, will run it again automatically when that certificate is renewed. You do not need to modify the crontab itself.


#5

WAW wonderful!!
Certbot has been designed really well!

Many thanks to all!!

Davide


#6

…sorry if I return to the subject but I would like to understand better which is the way you prefer.

for the same topic (Prosody certs) is it better to create a simple “bash” script that incorporates the command:

prosodyctl --root cert import /etc/letsencrypt/live

or to indicate the command for all its entirety:

certbot certonly --cert-name server.example.org --webroot -w /var/www/letsencrypt --email example@example.org --deploy-hook "/usr/bin/prosodyctl --root cert import /etc/letsencrypt/live" --expand -d server.example.org...

Many thanks again!

Davide


#7

Either should work, and for a single short command like that I’m not sure there is a preferred way (perhaps a Certbot developer can contradict me).

You might prefer to use a script if you have a long or complex deployment procedure, or if you want to reuse the same procedure for different certificates.


#8

In my mind, the answer may depend on the process of:
[not familiar with this command]

If that can be run whenever/wherever without any concern, then it can stand on its’ own and be run from cron (as often as you like | daily, hourly, weekly).

If it creates any real “impact” that you would want to occur only when absolutely needed (like stopping & then restarting a service), you would definitely want it attached to a --deploy-hook call.