couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Verheul <t...@verheulconsultants.nl>
Subject Re: letsencrypt SSL certs break when updated
Date Sun, 25 Oct 2020 09:15:44 GMT
I solved this problem recently for my app https://github.com/ErikVerheul/OneBacklog
automatic certificate renewal

Let's encript renews your certificate every 3 months. Couchdb cannot access the renewed certificates
directly.
Create your ssl install directory /opt/couchdb/letsencript and add a script to copy these
certificates automatically on renewal in the folder 
/etc/letsencrypt/renewal-hooks/post that Let's encrypt created for you:

# Name this script copyCertsForCouchdb.sh or any other name
# Make this file executable with sudo chmod +x < this file name >
#!/bin/bash
cp -rfL /etc/letsencrypt/live/ /opt/couchdb/letsencrypt
chown -R couchdb:couchdb /opt/couchdb/letsencrypt/

success,
Erik

On 23/10/2020 21:48, Bill Stephenson wrote:
> Awhile back I’d mentioned I was having a problem with letsencrypt certs not working
after being auto-updated.
> 
> This happened again yesterday and the issue is caused by the certs ownership settings.
> 
> My CouchDB is installed on a DigitalOcean VPS running Ubuntu 16.04
> 
> You can see the difference between the old and new certs below:
> 
> 	-rw-r--r-- 1 couchdb root 1903 Jul 23 22:12 cert6.pem
> 	-rw-r--r-- 1 root    root 1903 Oct 22 18:10 cert7.pem
> 
> 	-rw-r--r-- 1 couchdb root 1647 Jul 23 22:12 chain6.pem
> 	-rw-r--r-- 1 root    root 1647 Oct 22 18:10 chain7.pem
> 
> 	-rw-r--r-- 1 couchdb root 3550 Jul 23 22:12 fullchain6.pem
> 	-rw-r--r-- 1 root    root 3550 Oct 22 18:10 fullchain7.pem
> 
> 	-rw------- 1 couchdb root 1708 Jul 23 22:12 privkey6.pem
> 	-rw------- 1 root    root 1708 Oct 22 18:10 privkey7.pem
> 
> 
> After the letsencrypt update the new certs ownership need to be reset like so:
> 
> 	sudo chown couchdb:root /opt/couchdb/letsencrypt/archive/cherrypc.com/cert7.pem
> 
> And should look like something like this:
> 
> 	-rw-r--r-- 1 couchdb root 1903 Oct 22 18:10 cert7.pem
> 
> 	-rw-r--r-- 1 couchdb root 1647 Oct 22 18:10 chain7.pem
> 
> 	-rw-r--r-- 1 couchdb root 3550 Oct 22 18:10 fullchain7.pem
> 
> 	-rw------- 1 couchdb root 1708 Oct 22 18:10 privkey7.pem
> 
> 
> ( Hopefully sharing this here will help me remember this 3 months from now :D )
> 
> --
> 
> Kindest Regards,
> 
> Bill Stephenson
> 
> 
> 
> 

Mime
View raw message