ntpd Certificate Loading
Richard Laager
rlaager at wiktel.com
Tue Jun 9 08:40:24 UTC 2020
On 6/9/20 3:20 AM, Mike Simpson via devel wrote:
> As you only get a 90 day very from LE I now have a cron job after the “certbot renew” which copies the keys over and chown them. It feels clunky.
Use a deploy hook. I wrote the attached one for Debian. Note that Debian
uses user "ntpsec" and group "ntpsec". Change that to "ntp" and "ntp"
for other environments.
Install the script (marking it executable) as:
/etc/letsencrypt/renewal-hooks/deploy/ntpsec
Then set NTPSEC_CERTBOT_CERT_NAME="your.cert.hostname" in
/etc/default/ntpsec (or edit the script).
--
Richard
-------------- next part --------------
#!/bin/sh -eu
# vim: ai ts=4 sts=4 et sw=4
if [ -r /etc/default/ntpsec ]
then
. /etc/default/ntpsec
fi
if [ -z "${NTPSEC_CERTBOT_CERT_NAME-}" ]
then
exit 0
fi
# If the certificate being deployed is not the one for ntpd, exit.
found=0
for domain in "$RENEWED_DOMAINS"
do
if [ "$domain" = "$NTPSEC_CERTBOT_CERT_NAME" ]
then
found=1
fi
done
if [ "$found" = "0" ]
then
exit 0
fi
# Copy the certificate (including chain) and key to ntpd can read them
# after dropping privileges.
install -m 644 /etc/letsencrypt/live/"$NTPSEC_CERTBOT_CERT_NAME"/fullchain.pem \
/etc/ntpsec/cert-chain.pem
install -m 640 -g ntpsec \
/etc/letsencrypt/live/"$NTPSEC_CERTBOT_CERT_NAME"/privkey.pem \
/etc/ntpsec/key.pem
# Tell ntpd to reload the certificate and key.
killall -HUP ntpd 2>/dev/null || true
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20200609/55c3e956/attachment.bin>
More information about the devel
mailing list