From 03d7057ee18a0d1e59b33bf1633ee246c1cf908a Mon Sep 17 00:00:00 2001 From: 2e0byo <2e0byo@gmail.com> Date: Sat, 18 Mar 2023 04:14:18 +0000 Subject: [PATCH] doc: notes on updating certificates and restarting. (#2067) The first paragraph is lifted from #1122 Closes #1122. --- docs/TLS-Certificates.rst | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/docs/TLS-Certificates.rst b/docs/TLS-Certificates.rst index 5822fadb3..e734884eb 100644 --- a/docs/TLS-Certificates.rst +++ b/docs/TLS-Certificates.rst @@ -488,3 +488,32 @@ fit your system .. this works for Ubuntu): Verify return code: 0 (ok) --- ^C + +Updating Certificates +===================== + +After updating Crossbar.io TLS server certificates and/or keys, you must restart +Crossbar.io for the new certificates/keys to take effect. The certificates/keys +are cached when loading the first time, and hence without restarting +Crossbar.io, the old certificates/keys would still be used despite the new ones +already being stored on disk. + +Updating LetsEncrypt with certbot +--------------------------------- + +Once you have configured LetsEncrypt, you can periodically run `certbot +`_ to update your certificates. You may wish to +restart Crossbar.io if a new certificate is generated. Certbot has a +`--deploy-hook` which is run once for every generated certificate, with the +domains in `$RENEWED_DOMAINS`. Thus you can create something like + +.. code:: bash + + #!/bin/bash + if [[ "$RENEWED_DOMAINS" =~ "wamp.my.domain" ]]; then + systemctl restart crossbar # or however your router is run + echo "restarted server" > /tmp/log + fi + +And then pass it to certbot, e.g. by running `systemctl edit certbot` and adding +`--deploy-hook=/path/to/restart.sh`.