ntpd Certificate Loading

Richard Laager rlaager at wiktel.com
Tue Jun 9 08:40:24 UTC 2020


On 6/9/20 3:20 AM, Mike Simpson via devel wrote:
> As you only get a 90 day very from LE I now have a cron job after the “certbot renew” which copies the keys over and chown them. It feels clunky.

Use a deploy hook. I wrote the attached one for Debian. Note that Debian
uses user "ntpsec" and group "ntpsec". Change that to "ntp" and "ntp"
for other environments.

Install the script (marking it executable) as:
    /etc/letsencrypt/renewal-hooks/deploy/ntpsec

Then set NTPSEC_CERTBOT_CERT_NAME="your.cert.hostname" in
/etc/default/ntpsec (or edit the script).

-- 
Richard
-------------- next part --------------
#!/bin/sh -eu
# vim: ai ts=4 sts=4 et sw=4

if [ -r /etc/default/ntpsec ]
then
    . /etc/default/ntpsec
fi

if [ -z "${NTPSEC_CERTBOT_CERT_NAME-}" ]
then
    exit 0
fi

# If the certificate being deployed is not the one for ntpd, exit.
found=0
for domain in "$RENEWED_DOMAINS"
do
    if [ "$domain" = "$NTPSEC_CERTBOT_CERT_NAME" ]
    then
        found=1
    fi
done
if [ "$found" = "0" ]
then
    exit 0
fi

# Copy the certificate (including chain) and key to ntpd can read them
# after dropping privileges.
install -m 644 /etc/letsencrypt/live/"$NTPSEC_CERTBOT_CERT_NAME"/fullchain.pem \
    /etc/ntpsec/cert-chain.pem
install -m 640 -g ntpsec \
    /etc/letsencrypt/live/"$NTPSEC_CERTBOT_CERT_NAME"/privkey.pem \
    /etc/ntpsec/key.pem

# Tell ntpd to reload the certificate and key.
killall -HUP ntpd 2>/dev/null || true
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20200609/55c3e956/attachment.bin>


More information about the devel mailing list