Versions Compared

Old Version 37

changes.mady.by.user Johncarlo Maddalena

Saved on

compared with

New Version Current

changes.mady.by.user Johncarlo Maddalena

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Page Tree
expandCollapseAlltrue
rootSecure and Super Nodes


Panel
borderColorgrey
bgColorwhite
titleColorblack
borderWidth1
titleBGColorwhite
borderStylesolid
titleLanguages


  • Create zenupdate service and timer units, adding a hook to restart zend when the certificate is renewed
  • Stop & Disable the default certbot.timer
  • Start the zenupdate.service
  • Check status of the service
  • Start & Enable the zenupdate.timer
  • Check status of the timer and list system timers



DescriptionCommand
1

Create a zenupdate.service unit file to run certbot renewal with a --deploy-hook to restart zend if the certificate is renewed

The reasoning behind creating a custom renewal service and timer is to prevent an update to certbot overwriting its own default service and timer units when updating the system, copy and paste the entire block of text


Code Block
echo \
"[Unit]
Description=zenupdate.service
  
[Service]
Type=oneshot
ExecStart=$(which certbot) -q renew --preferred-chain \"ISRG Root X1\" --key-type rsa --deploy-hook \"rm -rf /usr/local/share/ca-certificates/* && csplit -s -z -f /usr/local/share/ca-certificates/intermediate-cert- /etc/letsencrypt/live/$FQDN/chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}' --suffix-format='%%02d.crt' && update-ca-certificates --fresh && systemctl restart zend\"
PrivateTmp=true" | sudo tee /lib/systemd/system/zenupdate.service


2

Create a zenupdate.timer unit, scheduled to run daily at 06:00 UTC, copy and paste the entire block of text


Code Block
echo \
"[Unit]
Description=Run zenupdate unit daily @ 06:00:00 (UTC)

[Timer]
OnCalendar=*-*-* 06:00:00
Unit=zenupdate.service
Persistent=true

[Install]
WantedBy=timers.target" | sudo tee /lib/systemd/system/zenupdate.timer


3

Stop and disable the default certbot timer


Code Block
sudo systemctl stop snap.certbot.renew.timer
sudo systemctl disable snap.certbot.renew.timer


4Test the zenupdate.service to ensure it works correctly


Code Block
sudo systemctl start zenupdate.service


5

Check the service status, ensuring no failures are listed in the log output, exit the status command by pressing CTRL + c


Code Block
sudo systemctl status zenupdate.service



Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ sudo systemctl status zenupdate.service
● zenupdate.service
Loaded: loaded (/lib/systemd/system/zenupdate.service; static)
Active: inactive (dead) since Thu 2018-06-14 00:07:32 CEST; 19s ago

Jun 14 00:07:31 zsec01 systemd[1]: Starting zenupdate.service...
Jun 14 00:07:32 zsec01 systemd[1]: Started zenupdate.service.


6If the status checks are positive from step 7, start the zenupdate.timer and enable it


Code Block
sudo systemctl start zenupdate.timer
sudo systemctl enable zenupdate.timer


7Check the timer status, specifically that it shows in an active (waiting) state, exit the status details by pressing CTRL + c


Code Block
sudo systemctl status zenupdate.timer


Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ sudo systemctl status zenupdate.timer
zenupdate.timer - Run zenupdate unit daily @ 06:00:00 (UTC)
Loaded: loaded (/lib/systemd/system/zenupdate.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Wed 2018-06-13 19:45:01 CEST; 4h 36min ago

Jun 13 19:45:01 node01 systemd[1]: Started Run zenupdate unit daily @ 06:00:00 (UTC).


8Verify that the timer is enabled, you should see a row for zenupdate.timer,exit the listing with CTRL + c


Code Block
sudo systemctl list-timers


Panel
borderColorgrey
bgColorblack
titleColorwhite
borderWidth2
titleBGColorblack
borderStylesolid
titleExample Output

zenops@node01:~$ sudo systemctl list-timers
NEXT.....................................................LEFT.......LAST..........................................................PASSED............................UNIT..........................................................ACTIVATES
Thu 2018-06-14 05:39:15 CEST 11h left..Wed 2018-06-13 08:12:43 CEST....9h ago.............................apt-daily.timer.......................................apt-daily.service
Thu 2018-06-14 06:00:00 CEST 12h left..n/a.............................................................n/a....................................zenupdate.timer...........................zenupdate.service
Thu 2018-06-14 06:18:28 CEST 12h left..Wed 2018-06-13 06:48:03 CEST....10h ago..........................apt-daily-upgrade.timer.....................apt-daily-upgrade.service
Thu 2018-06-14 17:32:10 CEST 23h left..Wed 2018-06-13 17:32:10 CEST....14min ago.....................systemd-tmpfiles-clean.timer..........systemd-tmpfiles-clean.service

4 timers listed.
Pass --all to see loaded but inactive timers, too.



Part 9

Part 10 of 11 - Configure Certificate Renewal

Part 11

Insert excerpt
Social Links
Social Links
nopaneltrue