Luke Tidd
a4e16f4cb1
* added read service (kavita) * renamed script to match repo bugs: * chown keys after custom site scripts in case of pfx or other generation (this was not getting chowned before and breaking the site)
25 lines
802 B
Markdown
25 lines
802 B
Markdown
# ssl-update
|
|
|
|
automation for cert renewal with local hooks
|
|
|
|
given a service:
|
|
|
|
* start letsencrypt's certbot "manually", getting ownership proof data
|
|
* turn up a custom nginx site for the proof
|
|
* log into the firewall, allow http to the given service
|
|
* enable http for the given service in nginx
|
|
* instruct let's encrypt to check the proof
|
|
* new expiration date on certs
|
|
* disable http for the service
|
|
* log into firewall, block http for the given service
|
|
* perform service specific hooks
|
|
* jellyfin/plex: generate a pkcs12 key and
|
|
put it in the right place
|
|
* set permissions and ownership on new keys
|
|
|
|
All secrets are GPG encrypted and one password prompt allows for script access
|
|
to all secrets necessary.
|
|
|
|
State:
|
|
* running for all services, no known bugs at this time
|