I finally moved from `Letsencrypt.sh` to dehydrated.
`sudo apt install dehydrated-apache2`
This installs `/etc/apache2/conf-enabled/dehydrated.conf`.
I had to remove `/etc/apache2/conf-enabled/letsencrypt.conf`.
For all configs in `/etc/apache2/sites-available`I had to change the path to the certificates:
< SSLCertificateFile /etc/letsencrypt.sh/certs/alexschroeder.ch/cert.pem < SSLCertificateKeyFile /etc/letsencrypt.sh/certs/alexschroeder.ch/privkey.pem < SSLCertificateChainFile /etc/letsencrypt.sh/certs/alexschroeder.ch/chain.pem --- > SSLCertificateFile /var/lib/dehydrated/certs/alexschroeder.ch/cert.pem > SSLCertificateKeyFile /var/lib/dehydrated/certs/alexschroeder.ch/privkey.pem > SSLCertificateChainFile /var/lib/dehydrated/certs/alexschroeder.ch/chain.pem
I moved the directory `/etc/letsencrypt.sh/certs` to `/var/lib/dehydrated/`.
I moved the file `/etc/letsencrypt.sh/domains.txt` to `/etc/dehydrated/`.
I created two files in `/etc/dehydrated/conf.d`:
$ cat /etc/dehydrated/conf.d/contact.sh
CONTACT_EMAIL="kensanata@gmail.com"
$ cat /etc/dehydrated/conf.d/hook.sh
HOOK="${BASEDIR}/hook.sh"
I moved `/etc/cron.weekly/letsencrypt` to `/etc/cron.weekly/dehydrated` and changed the content:
#!/bin/sh /usr/bin/dehydrated -c
I moved `/etc/letsencrypt.sh/hook.sh` to `/var/lib/dehydrated/hook.sh` and changed the content as follows:
#!/bin/bash
if [ ${1} == "deploy_cert" ]; then
echo " + Hook: Reloading Apache for ${2}..."
service apache2 reload
# use cat to preserve permissions
if [ ${2} == "campaignwiki.org" ]; then
# 3 is privkey, 4 is cert, 5 is fullchain, 6 is chain, 7 is timestamp
echo " + Hook: Regenerating miniircd's SSL.pem file..."
cat ${5} ${3} > /var/jail/miniircd/SSL.pem
echo " + Hook: Regenerating prosody's files..."
cat ${5} > /etc/prosody/certs/fullchain.pem
cat ${3} > /etc/prosody/certs/privkey.pem
elif [ ${2} == "alexschroeder.ch" ]; then
echo " + Hook: Regenerating monit's .pem file..."
# 3 is privkey, 4 is cert, 5 is fullchain, 6 is chain, 7 is timestamp
cat ${5} ${3} > /etc/ssl/localcerts/alexschroeder.ch.all.pem
service monit reload
fi
else
echo " + Hook: Nothing to do..."
fi
As you can see, that’s because other services use the same certificates but they need the files in different ways and in different locations
For Monit, the config file `/etc/monit/conf.d/monit.conf` says:
set httpd port 2812 and
SSL ENABLE
PEMFILE /etc/ssl/localcerts/alexschroeder.ch.all.pem
allow *secret*:*secret*
For miniircd, the Monit configuration `/etc/monit/conf.d/miniircd.conf` says:
check process miniircd matching miniircd
start program = "/home/alex/src/miniircd/miniircd --state-dir=/ --motd=/motd.txt --setuid=nobody --ssl-pem-file=/SSL.pem --chroot=/var/jail/miniircd --log-file=/miniircd.log --daemon"
stop program = "/bin/bash -c 'pkill -u nobody -f miniircd'"
if failed
host campaignwiki.org
port 6697
type tcpssl
for 5 cycles
then restart
if totalmem > 1000 MB for 5 cycles then restart
if 6 restarts within 15 cycles then timeout
I could not get it to write a PID file in the jail and thus I now rely on matching names and `pkill` instead of `kill`.
(Please contact me if you want to remove your comment.)
⁂
See 2022-11-15 Move from Dehydrated to Apache.
2022-11-15 Move from Dehydrated to Apache
– Alex 2022-11-15 16:42 UTC