Own thinger.io server + Letsencrypt symlinks = no way


#1

Did anybody successfully tried to use thinger.io server on own hardware, while using Let’s Encrypt keys? I have no luck to connect anyhow with symlinks - either to point config.json to /etc/letsecrypt/live/xxx symlink files, or make new symlinks in /var/snap/thinger-maker-server/common/certificates and point config to them. However when I copy actual .pem keys from /archive of LetsEncrypt into /var/snap/thinger-maker-server/common/certificates and point config there, everything works flawlessly, so keys themselves are OK. Had somebody any success on that?
Thanks!


#2

Hi @Tomas, I think that the problem relies on the Snap security, as the server installation is sandboxed from the rest of the operating system, so, the server cannot open a external file that is outside the snap folder.

I recommend you to create a simple script that is executed periodically (by cron) that updates the certificates inside the snap folder. Then it should be easy to stop restart the instance to take effect on the updated certificates. Please, if you write such script, share It with us! :slight_smile:

Best.


#3

Hi @alvarolb , I’m linux rookie, but it seems to me working procedure.

so at first use

crontab -e

then make sure your crontab looks just like this

0 1 * * * /usr/bin/letsencrypt renew &> /dev/null
5 1 * * * cp -Lr /etc/letsencrypt/live/your_domain.com/* /var/snap/thinger-maker-server/common/certificates/

and then you should make sure to restart server after updating ssl keys by using

sudo service snap.thinger-maker-server.thingerd restart


#4

Nice, thanks for sharing @Tomas. You can even add a cron job with the root user to reboot the server instance.

Just use: sudo crontab -e

and add a line like: (to run the restart one minute after the certificate update)

6 1 * * * service snap.thinger-maker-server.thingerd restart

It should work! However, restarting the server and updating certificates every day seems to be unnecessary. If I remember fine, those certificates are valid for 3 months, is it?

Best.


#5

That’s correct. Three months. However the above procedure for trying to renew it every day is generally suggested, as the letsencrypt app itself decides whether is time to ask letsencrypt servers to issue new certificate or not yet. So basically one doesn’t know whether renewal procedure received new certificate or has not been fired due to remaining certificiate validity. I don’t think copying certificates every day is something wrong, but I surely agree restarting server every day is totally unnecessary.

In theory this would need some service bound either on success of letsencrypt renewal procedure or to use inotify tools and check changes in letsencrpyt’s /archive/ directory, where new certificates are stored. This a bit over my knowledge to put some script together, sorry :frowning:

Edit: Here is described the way, which should work. To keep watching whether new certificate appeared (after successfull renewal) and if so, copy it and then restart the service: