mongod requires a certificateKeyFile that is a combination of a certificate and a private key.
certbot manages quarterly renewals of tls certificates that cannot be valid for more than 3 months. the result of a successful certbot renewal run is the creation of new certificate files that can be accessed by some symlinks (that it also manages) at /etc/letsencrypt/live/$(hostname -f)
.
is there a way to create a symlink, named pipe or loop device containing the output of:
cat /etc/letsencrypt/live/$(hostname -f)/{fullchain,privkey}.pem
i don't want to create an actual file containing the result of the concatenation, because that would have to be updated every time certbot extends the cert validity and mongod would be broken for any period of time between certbot making updates and some automation creating a new concatenation containing the certs in the format expected by mongod.
one solution that comes to mind is using a systemd dependency chain to restart mongod after certbot updates the certs and an ExecStartPre on the mongod.service unit to create the concatenated certificateKeyFile. but i wouldn't need any of that if there was a way to create some sort of dynamic representation of the concatenation of the files needed.
any ideas?
If certificate files are in place before any daemons that use them are reloaded, should work. At least on most POSIX operating systems. Although check the order of your hook scripts, and test the process overall. Any window before automation fixes the concatenated cert might be seconds long.
My simple hook
/etc/letsencrypt/renewal-hooks/deploy/fullchain.sh
just concatenates every live key+chain, and stores in it live.On this particular box I've chosen to have the certbot renewal in charge of reloading daemons, because it knows when the renewal happens for real. Not the systemd unit.
/etc/letsencrypt/renewal-hooks/deploy/web.sh
is also incredibly simple: