kris/kx-waf-le
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3 Commits 1 Branch 0 Tags 27 KiB
Shell 100%
main
Go to file
kris 010f250eab Update README.md
2026-02-14 11:26:32 +00:00
le_notif.sh Add le_notif.sh 2026-02-11 16:24:09 +00:00
README.md Update README.md 2026-02-14 11:26:32 +00:00

README.md

Save script:

vim /etc/letsencrypt/renewal-hooks/deploy/sync-to-passive.sh

Make executable:

chmod +x /etc/letsencrypt/renewal-hooks/deploy/sync-to-passive.sh

Add the user:

useradd -r -s /bin/bash -m certbot

Configure SSH Key auth:

ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519_certbot -N ""
ssh-copy-id -i /root/.ssh/id_ed25519_certbot certbot@tywaf12.firstderivatives.com

Create logdir:

mkdir -p /var/log/letsencrypt
touch /var/log/letsencrypt/sync.log

Put in place the sudo rules:

vim  /etc/sudoers.d/certbot


# Allow certbot user to sync certificates and reload web server without password
certbot ALL=(ALL) NOPASSWD: /usr/bin/rsync
certbot ALL=(ALL) NOPASSWD: /bin/systemctl reload nginx

Add ssh config for the Primary:

   tee -a /root/.ssh/config << EOF
   Host passive-certbot
       HostName tywaf12.firstderivatives.com
       User certbot
       IdentityFile /root/.ssh/id_ed25519_certbot
   EOF

Testing:

ssh certbot@tywaf12.firstderivatives.com 'sudo rsync --version'
ssh certbot@tywaf12.firstderivatives.com 'sudo systemctl reload nginx'