stackoom
  简体   繁体   中英

cron jobs for let's encrypt ssl renewal with mongod on nginx

 原文  2016-05-16 14:01:20       mongodb/ ssl/ nginx/ cron/ lets-encrypt

Question

I've got a parse-server up and running on digital ocean following this guide . When configuring mongo db for migration you execute this command: 

sudo cat /etc/letsencrypt/archive/domain_name/{fullchain1.pem,privkey1.pem} | sudo tee /etc/ssl/mongo.pem

After that the tutorial says:

You will have to repeat the above command after renewing your Let's Encrypt certificate. If you configure auto-renewal of the Let's Encrypt certificate, remember to include this operation.

In order to do this I added a cronjob to my let's encrypt cronjobs like this: 

30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
33 2 * * 1 cat /etc/letsencrypt/archive/DOMAIN/{fullchain1.pem,privkey1.pem} | tee /etc/ssl/mongo.pem
35 2 * * 1 /etc/init.d/nginx reload

However after restarting the server on a monday, mongod wouldn't start because it couldn't find/read /etc/ssl/mongo.pem .

How do I set this up correctly? Do I need to chown/chmod the file in another cronjob?

Thanks for your help!

2 answers

solution1
 9 ACCPTED  2016-08-28 09:00:40

I ran into a problem with the script above. Unfortunately let's encrypt doens't override fullchain and privkey but adds new versions when certificate is due to renew: fullchain2.pem privkey2.pem

So I had to alter the script accordingly. I also put the renew and nginx part inside so we need only one cronjob: 

#!/bin/bash

# stop nginx
/etc/init.d/nginx stop

# check for new cert
/opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

# combine latest letsencrypt files for mongo

# find latest fullchain*.pem
newestFull=$(ls -v /etc/letsencrypt/live/DOMAIN/fullchain*.pem | tail -n 1)
echo "$newestFull"

# find latest privkey*.pem
newestPriv=$(ls -v /etc/letsencrypt/live/DOMAIN/privkey*.pem | tail -n 1)
echo "$newestPriv"

# combine to mongo.pem
cat {$newestFull,$newestPriv} | tee /etc/ssl/mongo.pem

# set rights for mongo.pem 
chmod 600 /etc/ssl/mongo.pem
chown mongodb:mongodb /etc/ssl/mongo.pem

# restart mongo
/sbin/restart mongod

# start nginx
/etc/init.d/nginx start

solution2
 3  2016-05-18 21:28:53

Ok, so here is what I ended up with. I wrote a little script: 

#!/bin/bash

# combine letsencrypt files for mongo
cat /etc/letsencrypt/archive/DOMAIN/{fullchain1.pem,privkey1.pem} | tee /etc/ssl/mongo.pem

# set rights for mongo.pem 
chmod 600 /etc/ssl/mongo.pem
chown mongodb:mongodb /etc/ssl/mongo.pem

# restart mongo
/sbin/restart mongod

and fire it with a cron job: 

30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
33 2 * * 1 cat /root/myScript
35 2 * * 1 /etc/init.d/nginx reload

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Auto Renewal For Let's Encrypt with MongoDB Compiling Mongod with SSL Support How to run cron jobs according to user's timezone in nodeJs? MongoDB & Let's Encrypt = "server certificate does not match the host name" Cron jobs in Meteor What's difference between using “sudo service mongod start” and “mongod”? Connecting to Mongod via Ruby driver using SSL returns Mongo::ConnectionFailure What's a clean way to stop mongod on Mac OS X? mongod runs but only outputs all output going to path and that's it pymongo to extract query in pyython to mongod's javascript query syntax
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM