soju/contrib/certbot.md

Setting up Certbot for soju

If you are using Certbot to obtain HTTPS certificates, you can set up soju like so:

• Obtain the certificate:

  certbot certonly -d <domain>
  

• Allow all local users to access certificates (private keys are still protected):

  chmod 0755 /etc/letsencrypt/{live,archive}
  

• Allow the soju user to read the private key:

  chmod 0640 /etc/letsencrypt/live/<domain>/privkey.pem
  chgrp soju /etc/letsencrypt/live/<domain>/privkey.pem
  

• Set the tls directive in the soju configuration file:

  tls /etc/letsencrypt/live/<domain>/fullchain.pem /etc/letsencrypt/live/<domain>/privkey.pem
  

• Configure Certbot to reload soju. Edit /etc/letsencrypt/renewal-hooks/post/soju.sh and add a command to reload soju, for instance:

  #!/bin/sh -eu
  systemctl reload soju
  

  Then mark the script as executable:

  chmod 755 /etc/letsencrypt/renewal-hooks/post/soju.sh