Renewing certificates
Set up auto-renewal of Let's encrypt certificates
Last updated
Set up auto-renewal of Let's encrypt certificates
Last updated
Starting with version 0.9.11 the rport server comes with a built-in automatic certificate management environment (ACME). This ACME can create and renew all certificates needed for a secure operation of the rport server. Read more
✋ Continue reading, only if the above hint regarding the built-in ACME doesn't apply to your setup.
If your RPort server runs with Let's encrypt certificates, the certificates need to be renewed before they expire. On Debian and Ubuntu Linux certbot
comes with an auto-renewal job. But this job requires some fine-tuning to work properly.
Starting with RPort 0.9.0 the below hooks are deployed by default by the server installer script. If you installed before August 2022 review and change your hooks manually.
On Debian and Ubuntu, the certbot
package should have installed a systemd time that checks all certificates for renewal twice a day. Check the file /lib/systemd/system/certbot.timer
exists. The command systemctl list-timers
should tell you, when certbot.timer
run for the last time.
With the default settings, certbot
cannot renew your certificates. The auto-renewal needs to be confirmed by a so-called http-01 challenge. Certbot must bring up a temporary web server on port 80. The policies of Let's encrypt don't allow using a different port. Usually RPort is using the port 80 and therefore certbot
cannot renew. You must teach certbot
how to stop RPort before the renewal and how to start RPort again.
The below stop and start actions are only executed if a renewal is due. They are not executed everytime the certbot timer runs.
By default cetbot renews 30 days before expiry. This means the hooks are executed every 60 days.
Execute the below script on your rport sever from the root account to create the hooks.
From now on, certbot
will renew the certificates automatically.
You need the above hooks even if RPort is not running on port 80. Without the restart the renewed certificate is not loaded into the web server of rportd.