Difference between revisions of "Automatic SSL Certificate Renewal"
IVSWikiBlue (talk | contribs) |
IVSWikiBlue (talk | contribs) |
||
| Line 1: | Line 1: | ||
{{Article - Manual | content = | {{Article - Manual | content = | ||
| − | < | + | <h1>Summary</h1> |
As of version 6.5, VALT has the capability of automatically applying renewed certificates to help combat the shortened certificate validity periods and for ease of use. | As of version 6.5, VALT has the capability of automatically applying renewed certificates to help combat the shortened certificate validity periods and for ease of use. | ||
| Line 9: | Line 9: | ||
{{hr}} | {{hr}} | ||
| − | + | <h1>How it functions</h1> | |
| − | + | {{Manual lvl 2 | title = Order of Operations | content = | |
<ol> | <ol> | ||
<li>Modify the config file <code><b>/usr/local/valt/conf/ssl_renewer_config</b></code> to the desired settings</li> | <li>Modify the config file <code><b>/usr/local/valt/conf/ssl_renewer_config</b></code> to the desired settings</li> | ||
| Line 27: | Line 27: | ||
</ul> | </ul> | ||
</ol> | </ol> | ||
| + | }} | ||
| + | |||
| + | {{Top of Page}} | ||
{{hr}} | {{hr}} | ||
| − | < | + | <h1>Execution Frequency Options</h1> |
<table class="wikitable"> | <table class="wikitable"> | ||
<tr> | <tr> | ||
| Line 54: | Line 57: | ||
</table> | </table> | ||
| − | + | {{Top of Page}} | |
{{hr}} | {{hr}} | ||
| − | + | <h1>Error Checking</h1> | |
The SSL Renewal Watcher gets its own log file, located at <code>/usr/local/valt/logs/SSLRenewalWatcher.log</code>. This will include ALL log entries regarding the SSL Renewal Watcher service and the SSL Renewer. Here are just <i>some</i> of the checks it makes. | The SSL Renewal Watcher gets its own log file, located at <code>/usr/local/valt/logs/SSLRenewalWatcher.log</code>. This will include ALL log entries regarding the SSL Renewal Watcher service and the SSL Renewer. Here are just <i>some</i> of the checks it makes. | ||
| − | + | {{Top of Page}} | |
| + | {{hr}} | ||
| + | |||
| + | {{Manual lvl 2 | title = SSL File Checks | content = | ||
<ul> | <ul> | ||
<li>Have all 3 files (cert.pem, chain.pem, and privkey.pem) been updated within a 10-minute window?</li> | <li>Have all 3 files (cert.pem, chain.pem, and privkey.pem) been updated within a 10-minute window?</li> | ||
| Line 69: | Line 75: | ||
<li>Does cert.pem and privkey.pem have matching public keys?</li> | <li>Does cert.pem and privkey.pem have matching public keys?</li> | ||
</ul> | </ul> | ||
| + | }} | ||
| + | |||
| + | {{Top of Page}} | ||
| + | {{hr - 2}} | ||
| − | + | {{Manual lvl 2 | title = Logical Process Checks | content = | |
<ul> | <ul> | ||
<li>If the /usr/local/valt/ssl/incoming/ directory does not exist, do nothing</li> | <li>If the /usr/local/valt/ssl/incoming/ directory does not exist, do nothing</li> | ||
| Line 80: | Line 90: | ||
<li>If a file not named 'cert.pem', 'chain.pem', or 'privkey.pem' was modified in the /usr/local/valt/ssl/incoming/ directory, log that it happened but do not interact with them</li> | <li>If a file not named 'cert.pem', 'chain.pem', or 'privkey.pem' was modified in the /usr/local/valt/ssl/incoming/ directory, log that it happened but do not interact with them</li> | ||
</ul> | </ul> | ||
| + | }} | ||
| + | {{Top of Page}} | ||
}} | }} | ||
Latest revision as of 17:12, 17 March 2026
Summary
As of version 6.5, VALT has the capability of automatically applying renewed certificates to help combat the shortened certificate validity periods and for ease of use.
The SSL Renewal Watcher is a systemd service that, when enabled, watches for changes in the /usr/local/valt/ssl/incoming/ directory. When cert.pem, chain.pem, and privkey.pem are all modified within a 10-minute window, VALT will attempt to replace and install that set of incoming SSL Certificate files over the existing installed set. This operation restarts the Web, Wowza, and Nginx containers so they can utilize the updated files if there are no active recordings.
How it functions
Order of Operations
- Modify the config file
/usr/local/valt/conf/ssl_renewer_configto the desired settings - Copy the desired SSL server/leaf certificate into the /incoming directory
- Copy the desired SSL chain certificate into the /incoming directory
- Copy the desired SSL private key into the /incoming directory
- The SSL Renewal Watcher will respond based on the configuration and provided SSL files:
- Throw an error into the
/usr/local/valt/logs/SSLRenewalWatcher.log - Execute the SSLRenewer.bash script immediately
- Create a cronjob to execute the SSLRenewer.bash at specified datetime or interval
- Scenarios to consider
- If a SSL Renewer cronjob already exists because of a previous configuration, you can just repeat steps 1-4 and it will update the existing cronjob. No manual modifications necessary!
Execution Frequency Options
| Execution Frequency | What happens? |
|---|---|
instant |
Executes the renewal script immediately. |
scheduled |
Creates a one-time cronjob based on the specified date and time. The cronjob deletes itself after a single execution. |
weekly |
Creates a recurring cronjob using a specified day and time of the week. |
monthly |
Creates a recurring cronjob using a specified date and time of the month. |
Error Checking
The SSL Renewal Watcher gets its own log file, located at /usr/local/valt/logs/SSLRenewalWatcher.log. This will include ALL log entries regarding the SSL Renewal Watcher service and the SSL Renewer. Here are just some of the checks it makes.
SSL File Checks
- Have all 3 files (cert.pem, chain.pem, and privkey.pem) been updated within a 10-minute window?
- Is cert.pem a valid x509 certificate file?
- Is chain.pem a valid x509 certificate file?
- Is privkey.pem a valid RSA key file?
- Does cert.pem and privkey.pem have matching public keys?
Logical Process Checks
- If the /usr/local/valt/ssl/incoming/ directory does not exist, do nothing
- If there are no files in the /usr/local/valt/ssl/incoming/ directory, do nothing
- If any of the three files, 'cert.pem', 'chain.pem', and 'privkey.pem' do not exist in the /usr/local/valt/ssl/incoming/ directory, do nothing
- If the certificate files in the /usr/local/valt/ssl/incoming/ directory are the exact same certificate files as the currently installed certificate files, do nothing
- If you want to override this condition, you can run '/usr/local/valt/bin/SSLRenewer.bash --force' to bypass it
- If a file not named 'cert.pem', 'chain.pem', or 'privkey.pem' was modified in the /usr/local/valt/ssl/incoming/ directory, log that it happened but do not interact with them
