Update to fix node SSL cert renewal
Hi there,
Apologies it has been quite some time since my last blog post, but things have been quite busy in the real world.
I have finally had some time to look into the issue where the SSL cert renewal service does not restart zend correctly after the cert is renewed, resulting in an expired certificate exception and this has resulted in people needing to manually restart the zend daemon.
This blog post will help you convert your existing cert renewal service into one that should not require you to manually restart the zend daemon.
Step 1 - remove existing service file
sudo rm -rf /lib/systemd/system/zenupdate.service && sudo rm -rf /usr/local/share/ca-certificates/*
Step 2 - add new service file
Copy and paste this whole block and press enter
echo \
"[Unit]
Description=zenupdate.service
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew --preferred-chain \"ISRG Root X1\" --deploy-hook \"sudo rm -rf /usr/local/share/ca-certificates/* && csplit -s -z -f /usr/local/share/ca-certificates/intermediate-cert- /etc/letsencrypt/live/$FQDN/chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}' --suffix-format='%%02d.crt' && update-ca-certificates --fresh && systemctl restart zend\"
PrivateTmp=true" | sudo tee /lib/systemd/system/zenupdate.service
Step 3 - reload the daemon
sudo systemctl daemon-reload
Step 4 - split SSL cert chain
sudo csplit -s -z -f /usr/local/share/ca-certificates/intermediate-cert- /etc/letsencrypt/live/$FQDN/chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}' --suffix-format='%02d.crt'
Next you can verify that you have correctly split the intermediate certs out by running this command
ls /usr/local/share/ca-certificates/
You should see something like this
intermediate-cert-00.crt
Step 5 - update the trusted store
sudo update-ca-certificates --fresh
After that, you should be all set and the cert renewal service should be running correctly.
I have made these changes to the official guide so people who setup their nodes in the future wont have the issue of the zend daemon not restarting correctly after the cert renewal.