Difference between revisions of "Automatic SSL Certificate Renewal"
IVSWikiBlue (talk | contribs) (Created page with "{{Article - Manual | content = <h2>Summary</h2> As of version 6.5, VALT has the capability of automatically applying renewed certificates to help combat the shortened certifi...") |
(No difference)
|
Revision as of 15:34, 16 March 2026
Summary
As of version 6.5, VALT has the capability of automatically applying renewed certificates to help combat the shortened certificate validity periods and for ease of use.
The SSL Renewal Watcher is a systemd service that, when enabled, watches for changes in the /usr/local/valt/ssl/incoming/ directory. When cert.pem, chain.pem, and privkey.pem are all modified within a 10-minute window, VALT will attempt to replace and install that set of incoming SSL Certificate files over the existing installed set. This operation restarts the Web, Wowza, and Nginx containers so they can utilize the updated files if there are no active recordings.
How it functions
Order of Operations
- Modify the config file
/usr/local/valt/conf/ssl_renewer_configto the desired settings - Copy the desired SSL server/leaf certificate into the /incoming directory
- Copy the desired SSL chain certificate into the /incoming directory
- Copy the desired SSL private key into the /incoming directory
- The SSL Renewal Watcher will respond based on the configuration and provided SSL files:
- Throw an error into the
/usr/local/valt/logs/SSLRenewalWatcher.log - Execute the SSLRenewer.bash script immediately
- Create a cronjob to execute the SSLRenewer.bash at specified datetime or interval
- Scenarios to consider
- If a SSL Renewer cronjob already exists because of a previous configuration, you can just repeat steps 1-4 and it will update the existing cronjob. No manual modifications necessary!
Execution Frequency Logic
| Execution Frequency | Required Variables | What happens? |
|---|---|---|
instant |
No other variables required | Executes the /usr/local/valt/bin/SSLRenewer.bash script immediately. |
scheduled |
SCHEDULED_EXECUTION_DATETIME |
Creates a one-time cronjob based on SCHEDULED_EXECUTION_DATETIME. The cronjob deletes itself after a single execution. |
weekly |
WEEKY_EXECUTION_DAYOFWEEK, WEEKLY_EXECUTION_TIME |
Creates a recurring cronjob using WEEKLY_EXECUTION_DAYOFWEEK and WEEKLY_EXECUTION_TIME. |
monthly |
MONTHLY_EXECUTION_DAY, MONTHLY_EXECUTION_TIME |
Creates a recurring cronjob using MONTHLY_EXECUTION_DAY and MONTHLY_EXECUTION_TIME. |
Error Checking
The SSL Renewal Watcher gets its own log file, located at /usr/local/valt/logs/SSLRenewalWatcher.log. This will include ALL log entries regarding the SSL Renewal Watcher service and the SSL Renewer. Here are just some of the checks it makes.
SSL File Checks
- Have all 3 files (cert.pem, chain.pem, and privkey.pem) been updated within a 10-minute window?
- Is cert.pem a valid x509 certificate file?
- Is chain.pem a valid x509 certificate file?
- Is privkey.pem a valid RSA key file?
- Does cert.pem and privkey.pem have matching public keys?
Logical Process Checks
- If the /usr/local/valt/ssl/incoming/ directory does not exist, do nothing
- If there are no files in the /usr/local/valt/ssl/incoming/ directory, do nothing
- If any of the three files, 'cert.pem', 'chain.pem', and 'privkey.pem' do not exist in the /usr/local/valt/ssl/incoming/ directory, do nothing
- If the certificate files in the /usr/local/valt/ssl/incoming/ directory are the exact same certificate files as the currently installed certificate files, do nothing
- If you want to override this condition, you can run '/usr/local/valt/bin/SSLRenewer.bash --force' to bypass it
- If a file not named 'cert.pem', 'chain.pem', or 'privkey.pem' was modified in the /usr/local/valt/ssl/incoming/ directory, log that it happened but do not interact with them
