From 47622a7b1733a68700d0bb720cd303ac9e5956f3 Mon Sep 17 00:00:00 2001 From: Nicolas MASSE Date: Fri, 3 Apr 2020 22:50:23 +0200 Subject: [PATCH] fix the cron section --- content/blog/nginx-with-tls-on-openwrt.md | 35 ++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/content/blog/nginx-with-tls-on-openwrt.md b/content/blog/nginx-with-tls-on-openwrt.md index 413ef19..e6e5864 100644 --- a/content/blog/nginx-with-tls-on-openwrt.md +++ b/content/blog/nginx-with-tls-on-openwrt.md @@ -353,6 +353,39 @@ Welcome! The TLS certificate we fetched from Let's Encrypt is valid for ninety days. If you do not want to manually renew the certificate every ninety days, you will have to setup automatic renewal in a cron job. +Create a file **/opt/lego/etc/lego.conf** containing the environment variables needed by Lego to use your DNS provider. +Example shown below with Gandi, which is my DNS provider. + +```sh +export GANDIV5_API_KEY=[REDACTED] +``` + +Make it readable only by root. + +```sh +chmod -R og-rwx /opt/lego/etc/ +``` + +Create a file **/opt/lego/bin/renew.sh** with the following content. +Do not forget to change the email address and the hostname! + +```sh +#!/bin/sh + +set -e # Exit immediately if a command exits with a non-zero status + +. /opt/lego/etc/lego.conf + +/opt/lego/bin/lego -m replace.with@your.email -d raspberry-pi.example.test -a --dns gandiv5 --path /etc/nginx/tls run --no-bundle +/etc/init.d/nginx restart +``` + +Make it executable. + +```sh +chmod 755 /opt/lego/bin/renew.sh +``` + Edit the crontab of the root user. ```sh @@ -363,7 +396,7 @@ And an entry to renew the certificate using lego. ```crontab # At 3:59 the first day of the month, renew the Let's Encrypt certificates -3 59 1 * * GANDIV5_API_KEY=[REDACTED] /opt/lego/bin/lego -m replace.with@your.email -d raspberry-pi.example.test -a --dns gandiv5 --path /etc/nginx/tls run --no-bundle && service nginx restart +59 3 1 * * /opt/lego/bin/renew.sh ``` ## Conclusion