mediagoblin-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: website glitch

From: ayleph
Subject: Re: website glitch
Date: Mon, 17 Feb 2020 12:39:55 -0800
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 
I realize I'm a few months late to this thread, but here's a tip for
automating the haproxy part if you haven't figured it out yet.

I use a renewal hook to restart services after renewing a certificate.
See the example below.

----------------

$ cat /etc/letsencrypt/renewal-hooks/deploy/restart-local-services.sh
#!/bin/sh

systemctl restart dovecot postfix haproxy

----------------

This will run any time any cert on the machine is renewed which could
cause multiple restarts. If you want to take specific actions for
specific certs, you can switch on the $RENEWED_DOMAINS variable as shown
in this example from the Certbot documentation at
https://certbot.eff.org/docs/using.html#renewing-certificates.

-------8<-------

#!/bin/sh

set -e

for domain in $RENEWED_DOMAINS; do
        case $domain in
        example.com)
                daemon_cert_root=/etc/some-daemon/certs

                # Make sure the certificate and private key files are
                # never world readable, even just for an instant while
                # we're copying them into daemon_cert_root.
                umask 077

                cp "$RENEWED_LINEAGE/fullchain.pem"
"$daemon_cert_root/$domain.cert"
                cp "$RENEWED_LINEAGE/privkey.pem"
"$daemon_cert_root/$domain.key"

                # Apply the proper file ownership and permissions for
                # the daemon to read its certificate and key.
                chown some-daemon "$daemon_cert_root/$domain.cert" \
                        "$daemon_cert_root/$domain.key"
                chmod 400 "$daemon_cert_root/$domain.cert" \
                        "$daemon_cert_root/$domain.key"

                service some-daemon restart >/dev/null
                ;;
        esac
done

-------8<-------


On 11/23/19 8:11 AM, Simon Fondrie-Teitler wrote:
> Thanks for the heads up. I've got the renewal automated, just not the piece 
> that tells haproxy it has been renewed. It's back up now.
> 
> hjenkins <address@hidden> writes:
> 
>> The security cert for https://issues.mediagoblin.org/ seems to have 
>> expired on 15 November 2019.
> 

-- 
ayleph
reply via email to
[Prev in Thread] Current Thread [Next in Thread]