Part 9 - Configure Certificate Renewal
Create zenupdate service and timer units, adding a hook to restart zend when the certificate is renewed
Stop & Disable the default certbot.timer
Start the zenupdate.service
Check status of the service
Start & Enable the zenupdate.timer
Check status of the timer and list system timers
Description | Command | |
|---|---|---|
| 1 | Create a zenupdate.service unit file to run certbot renewal with a --deploy-hook to restart zend if the certificate is renewed The reasoning behind creating a custom renewal service and timer is to prevent an update to certbot overwriting its own default service and timer units when updating the system, copy and paste the entire block of text | echo \
"[Unit]
Description=zenupdate.service
[Service]
Type=oneshot
ExecStart=$(which certbot) -q renew --preferred-chain \"ISRG Root X1\" --key-type rsa --deploy-hook \"rm -rf /usr/local/share/ca-certificates/* && csplit -s -z -f /usr/local/share/ca-certificates/intermediate-cert- /etc/letsencrypt/live/$FQDN/chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}' --suffix-format='%%02d.crt' && update-ca-certificates --fresh && systemctl restart zend\"
PrivateTmp=true" | sudo tee /lib/systemd/system/zenupdate.service |
| 2 | Create a zenupdate.timer unit, scheduled to run daily at 06:00 UTC, copy and paste the entire block of text | echo \
"[Unit]
Description=Run zenupdate unit daily @ 06:00:00 (UTC)
[Timer]
OnCalendar=*-*-* 06:00:00
Unit=zenupdate.service
Persistent=true
[Install]
WantedBy=timers.target" | sudo tee /lib/systemd/system/zenupdate.timer |
| 3 | Stop and disable the default certbot timer | sudo systemctl stop snap.certbot.renew.timer
sudo systemctl disable snap.certbot.renew.timer |
| 4 | Test the zenupdate.service to ensure it works correctly | sudo systemctl start zenupdate.service
|
| 5 | Check the service status, ensuring no failures are listed in the log output, exit the status command by pressing CTRL + c | sudo systemctl status zenupdate.service
|
| 6 | If the status checks are positive from step 7, start the zenupdate.timer and enable it | sudo systemctl start zenupdate.timer
sudo systemctl enable zenupdate.timer |
| 7 | Check the timer status, specifically that it shows in an active (waiting) state, exit the status details by pressing CTRL + c | sudo systemctl status zenupdate.timer |
| 8 | Verify that the timer is enabled, you should see a row for zenupdate.timer, exit the listing with CTRL + c | sudo systemctl list-timers
|