blob: 960ce6c61e7aa4cf41eb138e5a13ab1c97edfc15 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
---
layout: post
title: How to avoid renewing your certificates
date: 2024-01-26 19:16 +0100
categories: tech
lang: en
description: "Automating certificate renewals, and what can go wrong when you fiddle with the configuration"
---
So, a few months ago, I set up an XMPP server. To manage the TLS certificates,
I wanted to use certbot again. Alas, the version that Debian shipped
in their repos didn't support the deploy hook feature I needed for that (iirc).
So to migrate, I uninstalled the apt repository certbot package, created an venv and installed
certbot via pip (or maybe the other way around), deleted the cronjob and
created a systemd unit instead to renew the certificates, yadda yadda.
Fast forward to a few days ago when I realized my XMPP client on the smartphone
wouldn't connect anymore. A few days later I had the time to investigate.
Sure enough, `certbot certificates` showed (nearly) all my certificates as expired.
Huh?
After digging around in the system to find out what I did at all
("Why is there no cron job? …
Why does journalctl say there was an exit code of 1 of the service?")
I opened the unit / service file to find this line:
```
ExecStart=false && /usr/local/bin/certbot -q renew --no-random-sleep-on-renew
```
… Uuuuhhhhhhh…
I can only imagine this `false` got inserted during the migration phase. And
I forgot to remove it.
|