Part 9

Create zenupdate service and timer units, adding a hook to restart zend when the certificate is renewed
Stop & Disable the default certbot.timer
Start the zenupdate.service
Check status of the service
Start & Enable the zenupdate.timer
Check status of the timer and list system timers


echo \
"[Unit]
Description=zenupdate.service
  
[Service]
Type=oneshot
ExecStart=$(which certbot) -q renew --preferred-chain \"ISRG Root X1\" --key-type rsa --deploy-hook \"rm -rf /usr/local/share/ca-certificates/* && csplit -s -z -f /usr/local/share/ca-certificates/intermediate-cert- /etc/letsencrypt/live/$FQDN/chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}' --suffix-format='%%02d.crt' && update-ca-certificates --fresh && systemctl restart zend\"
PrivateTmp=true" | sudo tee /lib/systemd/system/zenupdate.service
echo \
"[Unit]
Description=Run zenupdate unit daily @ 06:00:00 (UTC)

[Timer]
OnCalendar=*-*-* 06:00:00
Unit=zenupdate.service
Persistent=true

[Install]
WantedBy=timers.target" | sudo tee /lib/systemd/system/zenupdate.timer
sudo systemctl stop snap.certbot.renew.timer
sudo systemctl disable snap.certbot.renew.timer
sudo systemctl start zenupdate.service
sudo systemctl status zenupdate.service
sudo systemctl start zenupdate.timer
sudo systemctl enable zenupdate.timer
sudo systemctl status zenupdate.timer
sudo systemctl list-timers

	Description	Command
1	Create a zenupdate.service unit file to run certbot renewal with a --deploy-hook to restart zend if the certificate is renewed The reasoning behind creating a custom renewal service and timer is to prevent an update to certbot overwriting its own default service and timer units when updating the system, copy and paste the entire block of text	echo \ "[Unit] Description=zenupdate.service [Service] Type=oneshot ExecStart=$(which certbot) -q renew --preferred-chain \"ISRG Root X1\" --key-type rsa --deploy-hook \"rm -rf /usr/local/share/ca-certificates/* && csplit -s -z -f /usr/local/share/ca-certificates/intermediate-cert- /etc/letsencrypt/live/$FQDN/chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}' --suffix-format='%%02d.crt' && update-ca-certificates --fresh && systemctl restart zend\" PrivateTmp=true" \| sudo tee /lib/systemd/system/zenupdate.service
2	Create a zenupdate.timer unit, scheduled to run daily at 06:00 UTC, copy and paste the entire block of text	echo \ "[Unit] Description=Run zenupdate unit daily @ 06:00:00 (UTC) [Timer] OnCalendar=--* 06:00:00 Unit=zenupdate.service Persistent=true [Install] WantedBy=timers.target" \| sudo tee /lib/systemd/system/zenupdate.timer
3	Stop and disable the default certbot timer	sudo systemctl stop snap.certbot.renew.timer sudo systemctl disable snap.certbot.renew.timer
4	Test the zenupdate.service to ensure it works correctly	sudo systemctl start zenupdate.service
5	Check the service status, ensuring no failures are listed in the log output, exit the status command by pressing CTRL + c	sudo systemctl status zenupdate.service Example Output zenops@node01:~$ sudo systemctl status zenupdate.service ● zenupdate.service Loaded: loaded (/lib/systemd/system/zenupdate.service; static) Active: inactive (dead) since Thu 2018-06-14 00:07:32 CEST; 19s ago Jun 14 00:07:31 zsec01 systemd[1]: Starting zenupdate.service... Jun 14 00:07:32 zsec01 systemd[1]: Started zenupdate.service.
6	If the status checks are positive from step 7, start the zenupdate.timer and enable it	sudo systemctl start zenupdate.timer sudo systemctl enable zenupdate.timer
7	Check the timer status, specifically that it shows in an active (waiting) state, exit the status details by pressing CTRL + c	sudo systemctl status zenupdate.timer Example Output zenops@node01:~$ sudo systemctl status zenupdate.timer ● zenupdate.timer - Run zenupdate unit daily @ 06:00:00 (UTC) Loaded: loaded (/lib/systemd/system/zenupdate.timer; enabled) Active: active (waiting) since Wed 2018-06-13 19:45:01 CEST; 4h 36min ago Jun 13 19:45:01 node01 systemd[1]: Started Run zenupdate unit daily @ 06:00:00 (UTC).
8	Verify that the timer is enabled, you should see a row for zenupdate.timer, exit the listing with CTRL + c	sudo systemctl list-timers Example Output zenops@node01:~$ sudo systemctl list-timers NEXT.....................................................LEFT.......LAST..........................................................PASSED............................UNIT..........................................................ACTIVATES Thu 2018-06-14 05:39:15 CEST 11h left..Wed 2018-06-13 08:12:43 CEST....9h ago.............................apt-daily.timer.......................................apt-daily.service Thu 2018-06-14 06:00:00 CEST 12h left..n/a.............................................................n/a....................................zenupdate.timer...........................zenupdate.service Thu 2018-06-14 06:18:28 CEST 12h left..Wed 2018-06-13 06:48:03 CEST....10h ago..........................apt-daily-upgrade.timer.....................apt-daily-upgrade.service Thu 2018-06-14 17:32:10 CEST 23h left..Wed 2018-06-13 17:32:10 CEST....14min ago.....................systemd-tmpfiles-clean.timer..........systemd-tmpfiles-clean.service 4 timers listed. Pass --all to see loaded but inactive timers, too.

Horizen English

Part 9 - Configure Certificate Renewal

Part 10 of 11 - Configure Certificate Renewal

Part 11