Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

HEAD CRASH!! FILES LOST!! Details at 11.

computers / news.software.nntp / Letsencrypt and innd

SubjectAuthor
* Letsencrypt and inndNigel Reed
+* Re: Letsencrypt and inndJesse Rehmer
|+* Re: Letsencrypt and nnrpdJulien ÉLIE
||`* Re: Letsencrypt and nnrpdJesse Rehmer
|| +- Re: Letsencrypt and nnrpdRuss Allbery
|| `- Re: Letsencrypt and nnrpdJesse Rehmer
|`- Re: Letsencrypt and inndRoberto CORRADO
`- Re: Letsencrypt and inndJack

1
Letsencrypt and innd

<20240123012546.1b9d5a31@wibble.sysadmininc.com>

  copy mid

https://www.rocksolidbbs.com/computers/article-flat.php?id=2828&group=news.software.nntp#2828

  copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!newsfeed.endofthelinebbs.com!.POSTED.47.186.47.220!not-for-mail
From: sysop@endofthelinebbs.com (Nigel Reed)
Newsgroups: news.software.nntp
Subject: Letsencrypt and innd
Date: Tue, 23 Jan 2024 01:25:46 -0600
Organization: End Of The Line BBS
Message-ID: <20240123012546.1b9d5a31@wibble.sysadmininc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: www.sysadmininc.com; posting-host="47.186.47.220";
logging-data="4145149"; mail-complaints-to="abuse@endofthelinebbs.com"
X-Newsreader: Claws Mail 4.2.0git6 (GTK 3.24.33; x86_64-pc-linux-gnu)
 by: Nigel Reed - Tue, 23 Jan 2024 07:25 UTC

Hi all,

Is there anyone running innd with Letsecnrypt certificates? I've not
seen any write ups on how to configure and I'm sure it's not that bad
but the main question is how do you deal with certificate expiry?

Which parts of innd would need to be reloaded or restarted and by using
what mechanism to cause the least amount of interference to my users
and peers?

Maybe with enough prior knowledge and advice I can whip up a howto for
others to follow if they wish.

Thanks,

--
End Of The Line BBS - Plano, TX
telnet endofthelinebbs.com 23

Re: Letsencrypt and innd

<uooc6k$21r9$1@nnrp.usenet.blueworldhosting.com>

  copy mid

https://www.rocksolidbbs.com/computers/article-flat.php?id=2831&group=news.software.nntp#2831

  copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!nnrp.usenet.blueworldhosting.com!.POSTED!not-for-mail
From: jesse.rehmer@blueworldhosting.com (Jesse Rehmer)
Newsgroups: news.software.nntp
Subject: Re: Letsencrypt and innd
Date: Tue, 23 Jan 2024 12:41:56 -0000 (UTC)
Organization: BWH Usenet Archive (https://usenet.blueworldhosting.com)
Message-ID: <uooc6k$21r9$1@nnrp.usenet.blueworldhosting.com>
References: <20240123012546.1b9d5a31@wibble.sysadmininc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 23 Jan 2024 12:41:56 -0000 (UTC)
Injection-Info: nnrp.usenet.blueworldhosting.com;
logging-data="67433"; mail-complaints-to="usenet@blueworldhosting.com"
User-Agent: Usenapp for MacOS
Cancel-Lock: sha1:3jkivWmlyEJjRqhx3Oy2Y2Nt58M= sha256:yR41Ii3OorEQfV6A16i0GXWqfjDJROWmaSLnNx0czXg=
sha1:bBAB7OWe0vgdzXyZgDhc7tsgPgQ= sha256:j/E4p1gf93jdI4//jyRU0f0H9MlL1SGNm/8O+ygjINk=
X-Usenapp: v1.27.2/d - Full License
 by: Jesse Rehmer - Tue, 23 Jan 2024 12:41 UTC

On Jan 23, 2024 at 1:25:46 AM CST, "Nigel Reed" <sysop@endofthelinebbs.com>
wrote:

> Hi all,
>
> Is there anyone running innd with Letsecnrypt certificates? I've not
> seen any write ups on how to configure and I'm sure it's not that bad
> but the main question is how do you deal with certificate expiry?
>
> Which parts of innd would need to be reloaded or restarted and by using
> what mechanism to cause the least amount of interference to my users
> and peers?
>
> Maybe with enough prior knowledge and advice I can whip up a howto for
> others to follow if they wish.
>
> Thanks,

Only the nnrpd process that uses the -S flag needs to be restarted. I use the
following post-renewal hook for letsencrypt, it is simple but it works. It
only kills the listening daemon pid and won't impact connected clients where a
separate nnrpd process has been spawned.

#!/bin/sh
cp -f /usr/local/etc/letsencrypt/live/news.blueworldhosting.com/fullchain.pem
/usr/local/news/etc/
cp -f /usr/local/etc/letsencrypt/live/news.blueworldhosting.com/cert.pem
/usr/local/news/etc/
cp -f /usr/local/etc/letsencrypt/live/news.blueworldhosting.com/privkey.pem
/usr/local/news/etc/
chown news:news /usr/local/news/etc/*.pem
kill `cat /usr/local/news/run/nnrpd-563.pid`
su -l news -c "/usr/local/news/bin/nnrpd -S -D -p 563"

Re: Letsencrypt and innd

<uoov04$1jgja$1@paganini.bofh.team>

  copy mid

https://www.rocksolidbbs.com/computers/article-flat.php?id=2832&group=news.software.nntp#2832

  copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!feeder8.news.weretis.net!paganini.bofh.team!not-for-mail
From: invalid@invalid.jack (Jack)
Newsgroups: news.software.nntp
Subject: Re: Letsencrypt and innd
Date: Tue, 23 Jan 2024 17:59:04 +0000
Organization: To protect and to server
Message-ID: <uoov04$1jgja$1@paganini.bofh.team>
References: <20240123012546.1b9d5a31@wibble.sysadmininc.com>
Mime-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 23 Jan 2024 18:02:44 -0000 (UTC)
Injection-Info: paganini.bofh.team; logging-data="1688170"; posting-host="oGqmAz3tvlukjcoaYhaSwQ.user.paganini.bofh.team"; mail-complaints-to="usenet@bofh.team"; posting-account="9dIQLXBM7WM9KzA+yjdR4A";
Cancel-Lock: sha256:BmDRfO4q2m6cSXtDxVtcL1LERW0Akcvea+VvR2sagiQ=
Content-Language: US
X-Notice: Filtered by postfilter v. 0.9.3
 by: Jack - Tue, 23 Jan 2024 17:59 UTC

On 23/01/2024 07:25, Nigel Reed wrote:
> The main question is how do you deal with certificate expiry?
>
>

I run my clients website on VPs with LetsEncrypt free certificates and
the expiry is handled by certbot that I have installed. It's automatic
and you don't need to worry about the expiry dates.

The basic commands are: <https://certbot.eff.org/instructions>

Re: Letsencrypt and nnrpd

<uop0m8$2lau$1@news.trigofacile.com>

  copy mid

https://www.rocksolidbbs.com/computers/article-flat.php?id=2834&group=news.software.nntp#2834

  copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.trigofacile.com!.POSTED.2a01cb080adc11002daf2836f6473c46.ipv6.abo.wanadoo.fr!not-for-mail
From: iulius@nom-de-mon-site.com.invalid (Julien ÉLIE)
Newsgroups: news.software.nntp
Subject: Re: Letsencrypt and nnrpd
Date: Tue, 23 Jan 2024 19:31:36 +0100
Organization: Groupes francophones par TrigoFACILE
Message-ID: <uop0m8$2lau$1@news.trigofacile.com>
References: <20240123012546.1b9d5a31@wibble.sysadmininc.com>
<uooc6k$21r9$1@nnrp.usenet.blueworldhosting.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 23 Jan 2024 18:31:36 -0000 (UTC)
Injection-Info: news.trigofacile.com; posting-account="julien"; posting-host="2a01cb080adc11002daf2836f6473c46.ipv6.abo.wanadoo.fr:2a01:cb08:adc:1100:2daf:2836:f647:3c46";
logging-data="87390"; mail-complaints-to="abuse@trigofacile.com"
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:yOT2TFUGTwrHIlnfVnqsr8LKQM0= sha256:F0foPM+3WL+blxHnzzVs2ynoksRNFlslZ2opcTqYPgM=
sha1:SfjXAWOBULfdSd12rsmeWKubMUA= sha256:QW3zxHHmXLjqCpUZKAUK6oF7lrvpDoDB8zMT+qhlqvg=
In-Reply-To: <uooc6k$21r9$1@nnrp.usenet.blueworldhosting.com>
 by: Julien ÉLIE - Tue, 23 Jan 2024 18:31 UTC

Hi Jesse, Nigel,

> Only the nnrpd process that uses the -S flag needs to be restarted. I use the
> following post-renewal hook for letsencrypt, it is simple but it works.

Are you sure that hook is really needed? When not restarting nnrpd,
running as a daemon, after a renewal of certificate, did you find an issue?

I'm also using Let's Encrypt certificates, automatically renewed by
Certbot, and I do not restart nnrpd. When a new connection arrives for
a news client, nnrpd forks and it is that fork which reads the
certificates, and therefore will take into account the new one. The
running daemon does not have them in memory.
Same thing as readers.conf by the way: you don't have to restart the
nnrpd daemon to take a change in readers.conf into account.

FWIW, my configuration with a 3072-bit RSA key (seems like what will be
the most widely supported by clients):

% cat news.trigofacile.com.conf
version = 1.12.0
archive_dir = /etc/letsencrypt/archive/news.trigofacile.com
cert = /etc/letsencrypt/live/news.trigofacile.com/cert.pem
privkey = /etc/letsencrypt/live/news.trigofacile.com/privkey.pem
chain = /etc/letsencrypt/live/news.trigofacile.com/chain.pem
fullchain = /etc/letsencrypt/live/news.trigofacile.com/fullchain.pem

[renewalparams]
account = xxx
key_type = rsa
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
rsa_key_size = 3072

And inn.conf:
tlscapath: /etc/letsencrypt/live/news.trigofacile.com
tlscertfile: /etc/letsencrypt/live/news.trigofacile.com/fullchain.pem
tlskeyfile: /etc/letsencrypt/live/news.trigofacile.com/privkey.pem

Make sure that the permission rights are properly set so that the news
user or the news group can read these *directories* and *files*, and
that the private key is not world-readable.

--
Julien ÉLIE

« Prouidentia, dum ortum ante obitum ponit, sapienter fecit, sin autem
quid uitae sit notum ? » (Alphonse Allais)

Re: Letsencrypt and nnrpd

<uop22v$13bb$1@nnrp.usenet.blueworldhosting.com>

  copy mid

https://www.rocksolidbbs.com/computers/article-flat.php?id=2837&group=news.software.nntp#2837

  copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!rocksolid2!news.neodome.net!tncsrv06.tnetconsulting.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!nnrp.usenet.blueworldhosting.com!.POSTED!not-for-mail
From: jesse.rehmer@blueworldhosting.com (Jesse Rehmer)
Newsgroups: news.software.nntp
Subject: Re: Letsencrypt and nnrpd
Date: Tue, 23 Jan 2024 18:55:27 -0000 (UTC)
Organization: BWH Usenet Archive (https://usenet.blueworldhosting.com)
Message-ID: <uop22v$13bb$1@nnrp.usenet.blueworldhosting.com>
References: <20240123012546.1b9d5a31@wibble.sysadmininc.com> <uooc6k$21r9$1@nnrp.usenet.blueworldhosting.com> <uop0m8$2lau$1@news.trigofacile.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 23 Jan 2024 18:55:27 -0000 (UTC)
Injection-Info: nnrp.usenet.blueworldhosting.com;
logging-data="36203"; mail-complaints-to="usenet@blueworldhosting.com"
User-Agent: Usenapp for MacOS
Cancel-Lock: sha1:Br5O6C8R6FJXdvOXlTkuaMIykP4= sha256:UwbaB5HbyTkEss6YDw4motT+fX7G/UszUY+GuGQ+kQg=
sha1:OJqZfTrVmvtB9YFZYZCmwMW7OWI= sha256:50LkUqHsuCXdL6p4KwPWBM9UlPEStPNXDYkLPrh1pEk=
X-Usenapp: v1.27.2/d - Full License
 by: Jesse Rehmer - Tue, 23 Jan 2024 18:55 UTC

On Jan 23, 2024 at 12:31:36 PM CST, "Julien ÉLIE"
<iulius@nom-de-mon-site.com.invalid> wrote:

> Hi Jesse, Nigel,
>
>> Only the nnrpd process that uses the -S flag needs to be restarted. I use the
>> following post-renewal hook for letsencrypt, it is simple but it works.
>
> Are you sure that hook is really needed? When not restarting nnrpd,
> running as a daemon, after a renewal of certificate, did you find an issue?
>
> I'm also using Let's Encrypt certificates, automatically renewed by
> Certbot, and I do not restart nnrpd. When a new connection arrives for
> a news client, nnrpd forks and it is that fork which reads the
> certificates, and therefore will take into account the new one. The
> running daemon does not have them in memory.
> Same thing as readers.conf by the way: you don't have to restart the
> nnrpd daemon to take a change in readers.conf into account.
>
>
> FWIW, my configuration with a 3072-bit RSA key (seems like what will be
> the most widely supported by clients):
>
> % cat news.trigofacile.com.conf
> version = 1.12.0
> archive_dir = /etc/letsencrypt/archive/news.trigofacile.com
> cert = /etc/letsencrypt/live/news.trigofacile.com/cert.pem
> privkey = /etc/letsencrypt/live/news.trigofacile.com/privkey.pem
> chain = /etc/letsencrypt/live/news.trigofacile.com/chain.pem
> fullchain = /etc/letsencrypt/live/news.trigofacile.com/fullchain.pem
>
> [renewalparams]
> account = xxx
> key_type = rsa
> authenticator = standalone
> server = https://acme-v02.api.letsencrypt.org/directory
> rsa_key_size = 3072
>
>
>
> And inn.conf:
> tlscapath: /etc/letsencrypt/live/news.trigofacile.com
> tlscertfile: /etc/letsencrypt/live/news.trigofacile.com/fullchain.pem
> tlskeyfile: /etc/letsencrypt/live/news.trigofacile.com/privkey.pem
>
>
> Make sure that the permission rights are properly set so that the news
> user or the news group can read these *directories* and *files*, and
> that the private key is not world-readable.

On my FreeBSD box, INN cannot read the certificate files in the
/usr/local/letsencrypt subdirectories, so my inn.conf references the files I
copy into /usr/local/news/etc. In past experience, nnrpd did not pick up the
new certificate files and provided users the expired cert. I had to kill the
parent daemon process and spawn a new one.

Every time the packages that provide the letsencrypt stuff got updated it
would wipe out my permissions on /usr/local/letsencrypt, so that's the way I
ended up going about it. I'm sure there are more elegant ways.

Re: Letsencrypt and nnrpd

<87y1cfdei3.fsf@hope.eyrie.org>

  copy mid

https://www.rocksolidbbs.com/computers/article-flat.php?id=2842&group=news.software.nntp#2842

  copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!news.niel.me!nntp.terraraq.uk!news1.firedrake.org!news.eyrie.org!.POSTED!not-for-mail
From: eagle@eyrie.org (Russ Allbery)
Newsgroups: news.software.nntp
Subject: Re: Letsencrypt and nnrpd
Date: Tue, 23 Jan 2024 11:41:08 -0800
Organization: The Eyrie
Message-ID: <87y1cfdei3.fsf@hope.eyrie.org>
References: <20240123012546.1b9d5a31@wibble.sysadmininc.com>
<uooc6k$21r9$1@nnrp.usenet.blueworldhosting.com>
<uop0m8$2lau$1@news.trigofacile.com>
<uop22v$13bb$1@nnrp.usenet.blueworldhosting.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: hope.eyrie.org;
logging-data="28624"; mail-complaints-to="news@eyrie.org"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cancel-Lock: sha1:rH+pmX6rfa3H81WOihSCQFSF0zM=
 by: Russ Allbery - Tue, 23 Jan 2024 19:41 UTC

Jesse Rehmer <jesse.rehmer@blueworldhosting.com> writes:

> On my FreeBSD box, INN cannot read the certificate files in the
> /usr/local/letsencrypt subdirectories, so my inn.conf references the
> files I copy into /usr/local/news/etc.

This is also what I do, for what it's worth.

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

Please post questions rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.

Re: Letsencrypt and innd

<81fd7a82-2185-442f-8a97-ac6edcf418d1n@googlegroups.com>

  copy mid

https://www.rocksolidbbs.com/computers/article-flat.php?id=2845&group=news.software.nntp#2845

  copy link   Newsgroups: news.software.nntp
X-Received: by 2002:a05:620a:c46:b0:783:88b1:a4e5 with SMTP id u6-20020a05620a0c4600b0078388b1a4e5mr275562qki.6.1706043845367;
Tue, 23 Jan 2024 13:04:05 -0800 (PST)
X-Received: by 2002:a05:620a:1a1e:b0:783:9396:fcb2 with SMTP id
bk30-20020a05620a1a1e00b007839396fcb2mr85096qkb.10.1706043845114; Tue, 23 Jan
2024 13:04:05 -0800 (PST)
Path: i2pn2.org!rocksolid2!news.neodome.net!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: news.software.nntp
Date: Tue, 23 Jan 2024 13:04:04 -0800 (PST)
In-Reply-To: <uooc6k$21r9$1@nnrp.usenet.blueworldhosting.com>
Injection-Info: google-groups.googlegroups.com; posting-host=188.216.31.233; posting-account=Fu6UZwkAAADyje3seOVJZNxhz9R8iwvg
NNTP-Posting-Host: 188.216.31.233
References: <20240123012546.1b9d5a31@wibble.sysadmininc.com> <uooc6k$21r9$1@nnrp.usenet.blueworldhosting.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <81fd7a82-2185-442f-8a97-ac6edcf418d1n@googlegroups.com>
Subject: Re: Letsencrypt and innd
From: flygatto@gmail.com (Roberto CORRADO)
Injection-Date: Tue, 23 Jan 2024 21:04:05 +0000
Content-Type: text/plain; charset="UTF-8"
 by: Roberto CORRADO - Tue, 23 Jan 2024 21:04 UTC

Jesse Rehmer wrote:

> #!/bin/sh
> cp -f /usr/local/etc/letsencrypt/live/news.blueworldhosting.com/fullchain.pem
> /usr/local/news/etc/
> cp -f /usr/local/etc/letsencrypt/live/news.blueworldhosting.com/cert.pem
> /usr/local/news/etc/
> cp -f /usr/local/etc/letsencrypt/live/news.blueworldhosting.com/privkey.pem
> /usr/local/news/etc/
> chown news:news /usr/local/news/etc/*.pem
> kill `cat /usr/local/news/run/nnrpd-563.pid`
> su -l news -c "/usr/local/news/bin/nnrpd -S -D -p 563"

Thank you to everybody for the prototypes, they Will be surely very useful for me.
Thanks

-Roberto

Re: Letsencrypt and nnrpd

<uopvl1$29jb$1@nnrp.usenet.blueworldhosting.com>

  copy mid

https://www.rocksolidbbs.com/computers/article-flat.php?id=2848&group=news.software.nntp#2848

  copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!usenet.network!newsfeed.endofthelinebbs.com!weretis.net!feeder6.news.weretis.net!news.cmpublishers.com!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!nnrp.usenet.blueworldhosting.com!.POSTED!not-for-mail
From: jesse.rehmer@blueworldhosting.com (Jesse Rehmer)
Newsgroups: news.software.nntp
Subject: Re: Letsencrypt and nnrpd
Date: Wed, 24 Jan 2024 03:20:01 -0000 (UTC)
Organization: BWH Usenet Archive (https://usenet.blueworldhosting.com)
Message-ID: <uopvl1$29jb$1@nnrp.usenet.blueworldhosting.com>
References: <20240123012546.1b9d5a31@wibble.sysadmininc.com> <uooc6k$21r9$1@nnrp.usenet.blueworldhosting.com> <uop0m8$2lau$1@news.trigofacile.com> <uop22v$13bb$1@nnrp.usenet.blueworldhosting.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 24 Jan 2024 03:20:01 -0000 (UTC)
Injection-Info: nnrp.usenet.blueworldhosting.com;
logging-data="75371"; mail-complaints-to="usenet@blueworldhosting.com"
User-Agent: Usenapp for MacOS
Cancel-Lock: sha1:tpiM0oYknPF0Wz2bKVJeUxy3IKM= sha256:vVFQKtCeGl38U4MzC5ZE3BmwYgSyudkEaWpyHdpuybU=
sha1:HVNnKZftSJ5o5Ds3qmWTOTBpR/g= sha256:g5aOZNbpkc0fFZzfU+5y70f2yfLatEqDjzV6SzX6vU4=
X-Usenapp: v1.27.2/d - Full License
 by: Jesse Rehmer - Wed, 24 Jan 2024 03:20 UTC

On Jan 23, 2024 at 12:55:27 PM CST, "Jesse Rehmer"
<jesse.rehmer@blueworldhosting.com> wrote:

> On Jan 23, 2024 at 12:31:36 PM CST, "Julien ÉLIE"
> <iulius@nom-de-mon-site.com.invalid> wrote:
>
>> Hi Jesse, Nigel,
>>
>>> Only the nnrpd process that uses the -S flag needs to be restarted. I use the
>>> following post-renewal hook for letsencrypt, it is simple but it works.
>>
>> Are you sure that hook is really needed? When not restarting nnrpd,
>> running as a daemon, after a renewal of certificate, did you find an issue?
>>
>> I'm also using Let's Encrypt certificates, automatically renewed by
>> Certbot, and I do not restart nnrpd. When a new connection arrives for
>> a news client, nnrpd forks and it is that fork which reads the
>> certificates, and therefore will take into account the new one. The
>> running daemon does not have them in memory.
>> Same thing as readers.conf by the way: you don't have to restart the
>> nnrpd daemon to take a change in readers.conf into account.
>>
>>
>> FWIW, my configuration with a 3072-bit RSA key (seems like what will be
>> the most widely supported by clients):
>>
>> % cat news.trigofacile.com.conf
>> version = 1.12.0
>> archive_dir = /etc/letsencrypt/archive/news.trigofacile.com
>> cert = /etc/letsencrypt/live/news.trigofacile.com/cert.pem
>> privkey = /etc/letsencrypt/live/news.trigofacile.com/privkey.pem
>> chain = /etc/letsencrypt/live/news.trigofacile.com/chain.pem
>> fullchain = /etc/letsencrypt/live/news.trigofacile.com/fullchain.pem
>>
>> [renewalparams]
>> account = xxx
>> key_type = rsa
>> authenticator = standalone
>> server = https://acme-v02.api.letsencrypt.org/directory
>> rsa_key_size = 3072
>>
>>
>>
>> And inn.conf:
>> tlscapath: /etc/letsencrypt/live/news.trigofacile.com
>> tlscertfile: /etc/letsencrypt/live/news.trigofacile.com/fullchain.pem
>> tlskeyfile: /etc/letsencrypt/live/news.trigofacile.com/privkey.pem
>>
>>
>> Make sure that the permission rights are properly set so that the news
>> user or the news group can read these *directories* and *files*, and
>> that the private key is not world-readable.
>
> On my FreeBSD box, INN cannot read the certificate files in the
> /usr/local/letsencrypt subdirectories, so my inn.conf references the files I
> copy into /usr/local/news/etc. In past experience, nnrpd did not pick up the
> new certificate files and provided users the expired cert. I had to kill the
> parent daemon process and spawn a new one.
>
> Every time the packages that provide the letsencrypt stuff got updated it
> would wipe out my permissions on /usr/local/letsencrypt, so that's the way I
> ended up going about it. I'm sure there are more elegant ways.

I did testing and you are correct, if I replace the certificate files without
restarting nnrpd, I do get offered the replacement. I'm not sure why I was
convinced this was not the case before, so thank you for pointing it out. I
will change my post renewal-hook to copy the files and set ownership.

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor