Set up auto-renewal of Let's encrypt certificates
If your RPort server runs with Let's encrypt certificates, the certificates need to be renewed before they expire. On Debian and Ubuntu Linux
certbotcomes with an auto-renewal job. But this job needs some fine-tuning to work properly.
Starting with RPort 0.9.0 the below hooks are deployed by default by the server installer script. If you installed before August 2022 review and change your hooks manually.
On Debian and Ubuntu, the
certbotpackage should have installed a systemd time that checks all certificates for renewal twice a day. Check the file
/lib/systemd/system/certbot.timerexists. The command
systemctl list-timersshould tell you, when
certbot.timerrun for the last time.
Systemd times last run
With the default settings,
certbotcannot renew your certificates. The auto-renewal needs to be confirmed by a so-called http-01 challenge. Certbot must bring up a temporary web server on port 80. The policies of Let's encrypt don't allow using a different port. Usually RPort is using the port 80 and therefore
certbotcannot renew. You must teach
certbothow to stop RPort before the renewal and how to start RPort again.
The below stop and start actions are only executed if a renewal is due. They are not executed everytime the certbot timer runs.
By default cetbot renews 30 days before expiry. This means the hooks are executed every 60 days.
Execute the below script on your rport sever from the root account to create the hooks.
cat << EOF > /etc/letsencrypt/renewal-hooks/pre/rport.sh
echo "Stopping rportd for certificate renewal"|logger -t certbot
systemctl stop rportd
chmod +x /etc/letsencrypt/renewal-hooks/pre/rport.sh
cat << EOF > /etc/letsencrypt/renewal-hooks/post/rport.sh
echo "Starting rportd after certificate renewal"|logger -t certbot
systemctl start rportd
chmod +x /etc/letsencrypt/renewal-hooks/post/rport.sh
From now on,
certbotwill renew the certificates automatically.
You need the above hooks even if RPort is not running on port 80. Without the restart the renewed certificate is not loaded into the web server of rportd.