Skip to content

Instantly share code, notes, and snippets.

@tuomotalvitie

tuomotalvitie/README.md

Forked from ysc3839/README.md
Last active May 17, 2024 07:37
Show Gist options
  • Save tuomotalvitie/10fcbaa9b6c974e0087c259fd44d6663 to your computer and use it in GitHub Desktop.
Save tuomotalvitie/10fcbaa9b6c974e0087c259fd44d6663 to your computer and use it in GitHub Desktop.
Download ZIP
Systemd timer for lego
Raw
README.md

fork of https://gist.github.com/ysc3839/6e967c4541f585107eebb6bb777a7935 running with legouser + ovh DNS challenge. Thank you

Systemd timer for lego

OVH-settings

Since I had snap on the server, I installed lego with sudo snap install lego. (and since regretted, but went with anyway)

restarting Apache turned out a bit difficult with the renew-hook... thus the restart service (which will be run every time the lego service runs...)

I'm creating the certs to /etc/legossl/ with group www-data to allow the webserver to read them

Alternatively one could go with Certbot, which also nicely documents the OVH credential creation certbot-dns-ovh. Since I had some trouble with my internal addressed and local DNS, which resulted in Lego trying to use internal.example.com as zone for site.internal.example.com, and OVH failed the request due to the incorrect zone, I went with --dns.resolvers 1.1.1.1:53which bypasses the problem

Place lego.service,lego.timer and apache-restart.service in /etc/systemd/system.

Place config in /var/lib/lego and webserver-reload.sh in /home/legouser/snap/lego/common/chmod.sh (chown legouser:legouser, +x) (so snap can read it) You should modify config (chmod 600). (chown legouser:legouser) Finally execute sudo systemctl enable lego.timer.

You need to create this directory and use lego ... run to create acme account.

Mistakes should be expected, so do start with the staging server.

Raw
_etc_systemd_system_apache-restart.service
[Unit]
Description=Restart Apache2 service
After=network.target
[Service]
Type=oneshot
ExecStart=systemctl restart apache2
[Install]
WantedBy=multi-user.target
Raw
_etc_systemd_system_lego.service
[Unit]
Description=Lets Encrypt client - certificate renewal
[Service]
Type=oneshot
EnvironmentFile=/var/lib/lego/config
WorkingDirectory=/etc/legossl
ExecStart=/snap/bin/lego --accept-tos --dns.resolvers 1.1.1.1:53 --dns.resolvers 1.0.0.1:53 --path /etc/legossl -s ${SERVER} -m ${EMAIL} -d ${DOMAIN} $ARGS renew --renew-hook "/home/legouser/snap/lego/common/chmod.sh"
User=legouser
Group=www-data
Raw
_etc_systemd_system_lego.timer
[Unit]
Description=Lets Encrypt client - certificate renewal
OnSuccess=apache-restart.service
[Timer]
OnCalendar=*-*-* 4:15
RandomizedDelaySec=1h
Persistent=true
[Install]
WantedBy=timers.target
Raw
_home_legouser_snap_lego_common_chmod.sh
#!/bin/sh
chmod g+r /etc/legossl/certificates/*
Raw
_var_lib_lego_config
SERVER="https://acme-v02.api.letsencrypt.org/directory"
# staging for testing:
#SERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
OVH_APPLICATION_KEY=123
OVH_APPLICATION_SECRET=123
OVH_CONSUMER_KEY=123
OVH_ENDPOINT=ovh-eu
EMAIL="email@example.com"
DOMAIN="example.com"
ARGS="--dns ovh"
Raw
apparmor_parser
#apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.lego.lego
# probably better alternative might be modifying the network abstraction. Do remember to reload the apparmor conf
++++
/etc/legossl/ rw,
/etc/legossl/** rwk,
++++
Raw
usercreation.md

this is what I went with, but had to create home afterwards (...), so perhaps remove the parameter

sudo adduser --system --no-create-home --group legouser

sudo adduser legouser www-data

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment