sad/soju
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
soju/contrib/certbot.md
Simon Ser 3e1efea6e5 contrib/certbot: set -eu in renewal hook 
That way the script fails if the reload fails.
2023-12-08 17:04:17 +01:00

969 B
Raw Permalink Blame History

Setting up Certbot for soju

If you are using Certbot to obtain HTTPS certificates, you can set up soju like so:

  • Obtain the certificate:

    certbot certonly -d <domain>

  • Allow all local users to access certificates (private keys are still protected):

    chmod 0755 /etc/letsencrypt/{live,archive}

  • Allow the soju user to read the private key:

    chmod 0640 /etc/letsencrypt/live/<domain>/privkey.pem
chgrp soju /etc/letsencrypt/live/<domain>/privkey.pem

  • Set the tls directive in the soju configuration file:

    tls /etc/letsencrypt/live/<domain>/fullchain.pem /etc/letsencrypt/live/<domain>/privkey.pem

  • Configure Certbot to reload soju. Edit /etc/letsencrypt/renewal-hooks/post/soju.sh and add a command to reload soju, for instance:

    #!/bin/sh -eu
systemctl reload soju

    Then mark the script as executable:

    chmod 755 /etc/letsencrypt/renewal-hooks/post/soju.sh