For greater automation it’s possible to automate updating certificate obtained with certbot
in Tigase XMPP Server. You should use following deploy hook - either add it to /etc/letsencrypt/renewal-hooks/deploy/
or use it directly in certboot
commandline with --deploy-hook
parameter (in the latter case, it will be added to particular domain configuration so it’s not necessary to specify UPDATE_DOMAINS).
Note
Please adjust account credentials used for deployment (USER
, PASS
, DOMAIN
) as well as paths to Let’s Encrypt certificates (ISRG Root X1 named isrgrootx1.pem
and Let’s Encrypt Authority X3 named letsencryptauthorityx3.pem
)
#!/bin/bash set -e ## Configuration START USER="admin_username" PASS="admin_password" DOMAIN="my_domain.tld" HOST=${DOMAIN} #UPDATE_DOMAINS=(${DOMAIN}) # PORT=":8080" # APIKEY="?api-key=mySecretKey" LE_CERTS_PATH="/path/to/letsencrypt/CA/certificates/" ## Configuration END fail_count=0 for domain in ${RENEWED_DOMAINS[@]}; do if [[ $domain == "*."* ]]; then CERT_DOMAIN=${domain#*\*.} else CERT_DOMAIN=${domain} fi if [[ ! -z "${UPDATE_DOMAINS}" ]] ; then match=0 for dn in "${UPDATE_DOMAINS[@]}"; do if [[ $dn = "$CERT_DOMAIN" ]]; then match=1 break fi done if [[ $match = 0 ]]; then echo "Skipping updating ${domain} because it's not in the list of supported domains: ${UPDATE_DOMAINS[@]}" continue fi fi CERT=`cat "$RENEWED_LINEAGE/cert.pem" "$RENEWED_LINEAGE/privkey.pem" ${LE_CERTS_PATH}/isrgrootx1.pem ${LE_CERTS_PATH}/letsencryptauthorityx3.pem` REQUEST=" <command> <node>ssl-certificate-add</node> <fields> <item> <var>Certificate in PEM format</var> <value>${CERT}</value> </item> <item> <var>command-marker</var> <value>command-marker</value> </item> <item> <var>VHost</var> <value>${CERT_DOMAIN}</value> </item> <item> <var>Save to disk</var> <value>true</value> </item> </fields> </command>" response=`curl -s -L -H "Content-Type: text/xml" -X POST http://${USER}%40${DOMAIN}:${PASS}@${HOST}${PORT}/rest/adhoc/vhost-man@${DOMAIN}${APIKEY} -d "${REQUEST}"` if [[ ! ${response} = *"loaded successfully"* ]] ; then echo -e "Server returned error while updating ${domain} certificate:\n ${response}" fail_count=$((${fail_count}+1)) else echo "Correctly updated ${domain} certificate" fi done exit ${fail_count}
Note
If you are not using wildcard certificate when you have to provide certificate for main domain as well as certificates for subdomains that mach all components that you want to expose (muc, pubsub, push, etc…)