I was testing using certbot against Sectigo’s ACME endpoint after setting my test morpheus.rb to use the certbot obtained certificate for the nginx[‘ssl_certicate’] and nginx[‘ssl_server_key’] values.
My question is, I have a deploy-hook setup with certbot that will call out to ‘morpheus-ctl reconfigure’ and… ‘morpheus-ctl hup nginx’. My question is, is this acceptable vs a ‘morpheus-ctl restart nginx’ as I’d rather not have certbot restart nginx and break existing sessions, but instead do a more graceful reload to read the new config (and by extension new cert and key), closing out sessions as they expire.
Will this work as I’m expecting like an ‘systemctl reload apache2’ vs ‘systemctl restart apache2’ does around config and ssl changes?
If you are just updating the certs in place, then morpheus-ctl hup nginx is all that’s necessary. If you are changing filenames or locations, you would need to do a reconfigure.
Okay perfect and what I was hoping and expecting!
I just wasn’t sure if the hash/modulus values were used anywhere else in Morpheus as a sort of “cert validation check” for more internal calls that the reconfigure updated and the restart was needed to force refresh all things.
Hello Ron. I found in web for Ubuntu this bot with nginx pluggin: certbot python3-certbot-nginx
Which you use in your environment and how do you configure schedule? Did you have any challenges?
In this case you should be able to just use “certbot” as is with --certonly, since those extra modules for certbot are more so for handling the nginx, apache, or other related configs and restarting of the service if needed.
I will note we’re doing Org Validations (OV) validations against Sectigo’s ACME setup where we just add a domain into our ACME registration and we’re good, so Let’s Encrypt with the hit HTTP to confirm ownership validations may be a different ballgame there to get certbot/Let’s Encrypt to validate DNS ownership.
What I was looking at doing (but haven’t fully implemented in our prod yet due to time), is setup certbot to create the SSL keypair and then have a post-deploy renewal-hook script that handles the reload of the nginx
So the /etc/morpheus/morpheus.rb file would be setup to point wherever I’d have certbot land the public and private SSL keys, such as
nginx[‘ssl_certificate’] = ‘/etc/morpheus/ssl/certs/-full.crt’
nginx[‘ssl_server_key’] = ‘/etc/morpheus/ssl/private/.key’
And then reload Nginx to pull in the updated file by a certbot “deploy” renewal-hook with the command:
morpheus-ctl hup nginx
That should get the new cert in place for new sessions while not breaking existing user sessions (well on paper)
I should swing around to finish testing that but that was my plan as far as I’ve gotten so far.