Renewing certificates

Set up auto-renewal of Let's encrypt certificates

Starting with version 0.9.11 the rport server comes with a built-in automatic certificate management environment (ACME). This ACME can create and renew all certificates needed for a secure operation of the rport server. Read more

Continue reading, only if the above hint regarding the built-in ACME doesn't apply to your setup.

If your RPort server runs with Let's encrypt certificates, the certificates need to be renewed before they expire. On Debian and Ubuntu Linux certbot comes with an auto-renewal job. But this job requires some fine-tuning to work properly.

Starting with RPort 0.9.0 the below hooks are deployed by default by the server installer script. If you installed before August 2022 review and change your hooks manually.

Check the scheduler

On Debian and Ubuntu, the certbot package should have installed a systemd time that checks all certificates for renewal twice a day. Check the file /lib/systemd/system/certbot.timer exists. The command systemctl list-timers should tell you, when certbot.timer run for the last time.

Create hook files

With the default settings, certbot cannot renew your certificates. The auto-renewal needs to be confirmed by a so-called http-01 challenge. Certbot must bring up a temporary web server on port 80. The policies of Let's encrypt don't allow using a different port. Usually RPort is using the port 80 and therefore certbot cannot renew. You must teach certbot how to stop RPort before the renewal and how to start RPort again.

The below stop and start actions are only executed if a renewal is due. They are not executed everytime the certbot timer runs.

By default cetbot renews 30 days before expiry. This means the hooks are executed every 60 days.

Execute the below script on your rport sever from the root account to create the hooks.

cat << EOF > /etc/letsencrypt/renewal-hooks/pre/
echo "Stopping rportd for certificate renewal"|logger -t certbot
systemctl stop rportd
chmod +x /etc/letsencrypt/renewal-hooks/pre/

cat << EOF > /etc/letsencrypt/renewal-hooks/post/
echo "Starting rportd after certificate renewal"|logger -t certbot
systemctl start rportd
chmod +x /etc/letsencrypt/renewal-hooks/post/

From now on, certbot will renew the certificates automatically.

You need the above hooks even if RPort is not running on port 80. Without the restart the renewed certificate is not loaded into the web server of rportd.

Last updated