Difference between revisions of "Automatic SSL Certificate Renewal"

From IVS Wiki
Jump to: navigation, search
(Created page with "{{Article - Manual | content = <h2>Summary</h2> As of version 6.5, VALT has the capability of automatically applying renewed certificates to help combat the shortened certifi...")
 
Line 28: Line 28:
 
</ol>
 
</ol>
  
<h3><center>Execution Frequency Logic</center></h3>
+
{{hr}}
 +
 
 +
<h2><center>Execution Frequency Options</center></h2>
 
<table class="wikitable">
 
<table class="wikitable">
 
   <tr>
 
   <tr>
 
     <th style="width:90px">Execution Frequency</th>
 
     <th style="width:90px">Execution Frequency</th>
    <th style="width:250px">Required Variables</th>
 
 
     <th>What happens?</th>
 
     <th>What happens?</th>
 
   </tr>
 
   </tr>
 
   <tr>
 
   <tr>
     <td><code>instant</code></td>
+
     <td><code><b>instant</b></code></td>
    <td>No other variables required</td>
+
     <td>Executes the renewal script <b>immediately.</b></td>
     <td>Executes the <code>/usr/local/valt/bin/SSLRenewer.bash</code> script immediately.</td>
 
 
   </tr>
 
   </tr>
 
   <tr>
 
   <tr>
     <td><code>scheduled</code></td>
+
     <td><code><b>scheduled</b></code></td>
    <td><code>SCHEDULED_EXECUTION_DATETIME</code></td>
+
     <td>Creates a one-time cronjob <b>based on the specified date and time.</b> The cronjob deletes itself after a single execution.</td>
     <td>Creates a one-time cronjob based on <b>SCHEDULED_EXECUTION_DATETIME</b>. The cronjob deletes itself after a single execution.</td>
 
 
   </tr>
 
   </tr>
 
   <tr>
 
   <tr>
     <td><code>weekly</code></td>
+
     <td><code><b>weekly</b></code></td>
    <td><code>WEEKY_EXECUTION_DAYOFWEEK</code>, <br><code>WEEKLY_EXECUTION_TIME</code></td>
+
     <td>Creates a recurring cronjob <b>using a specified day and time of the week.</b></td>
     <td>Creates a recurring cronjob using <b>WEEKLY_EXECUTION_DAYOFWEEK</b> and <b>WEEKLY_EXECUTION_TIME</b>.</td>
 
 
   </tr>
 
   </tr>
 
   <tr>
 
   <tr>
     <td><code>monthly</code></td>
+
     <td><code><b>monthly</b></code></td>
    <td><code>MONTHLY_EXECUTION_DAY</code>, <br><code>MONTHLY_EXECUTION_TIME</code></td>
+
     <td>Creates a recurring cronjob <b>using a specified date and time of the month.</b></td>
     <td>Creates a recurring cronjob using <b>MONTHLY_EXECUTION_DAY</b> and <b>MONTHLY_EXECUTION_TIME</b>.</td>
 
 
   </tr>
 
   </tr>
 
</table>
 
</table>

Revision as of 08:23, 17 March 2026

Summary

As of version 6.5, VALT has the capability of automatically applying renewed certificates to help combat the shortened certificate validity periods and for ease of use.


The SSL Renewal Watcher is a systemd service that, when enabled, watches for changes in the /usr/local/valt/ssl/incoming/ directory. When cert.pem, chain.pem, and privkey.pem are all modified within a 10-minute window, VALT will attempt to replace and install that set of incoming SSL Certificate files over the existing installed set. This operation restarts the Web, Wowza, and Nginx containers so they can utilize the updated files if there are no active recordings.

How it functions

Order of Operations

  1. Modify the config file /usr/local/valt/conf/ssl_renewer_config to the desired settings
  2. Copy the desired SSL server/leaf certificate into the /incoming directory
  3. Copy the desired SSL chain certificate into the /incoming directory
  4. Copy the desired SSL private key into the /incoming directory
  5. The SSL Renewal Watcher will respond based on the configuration and provided SSL files:
    • Throw an error into the /usr/local/valt/logs/SSLRenewalWatcher.log
    • Execute the SSLRenewer.bash script immediately
    • Create a cronjob to execute the SSLRenewer.bash at specified datetime or interval
  6. Scenarios to consider
    • If a SSL Renewer cronjob already exists because of a previous configuration, you can just repeat steps 1-4 and it will update the existing cronjob. No manual modifications necessary!

Execution Frequency Options

Execution Frequency What happens?
instant Executes the renewal script immediately.
scheduled Creates a one-time cronjob based on the specified date and time. The cronjob deletes itself after a single execution.
weekly Creates a recurring cronjob using a specified day and time of the week.
monthly Creates a recurring cronjob using a specified date and time of the month.


Error Checking

The SSL Renewal Watcher gets its own log file, located at /usr/local/valt/logs/SSLRenewalWatcher.log. This will include ALL log entries regarding the SSL Renewal Watcher service and the SSL Renewer. Here are just some of the checks it makes.


SSL File Checks

  • Have all 3 files (cert.pem, chain.pem, and privkey.pem) been updated within a 10-minute window?
  • Is cert.pem a valid x509 certificate file?
  • Is chain.pem a valid x509 certificate file?
  • Is privkey.pem a valid RSA key file?
  • Does cert.pem and privkey.pem have matching public keys?


Logical Process Checks

  • If the /usr/local/valt/ssl/incoming/ directory does not exist, do nothing
  • If there are no files in the /usr/local/valt/ssl/incoming/ directory, do nothing
  • If any of the three files, 'cert.pem', 'chain.pem', and 'privkey.pem' do not exist in the /usr/local/valt/ssl/incoming/ directory, do nothing
  • If the certificate files in the /usr/local/valt/ssl/incoming/ directory are the exact same certificate files as the currently installed certificate files, do nothing
    • If you want to override this condition, you can run '/usr/local/valt/bin/SSLRenewer.bash --force' to bypass it
  • If a file not named 'cert.pem', 'chain.pem', or 'privkey.pem' was modified in the /usr/local/valt/ssl/incoming/ directory, log that it happened but do not interact with them
Retrieved from "https://ipivs.info/wiki/index.php?title=Automatic_SSL_Certificate_Renewal&oldid=17077"