mosquitto/misc/letsencrypt/mosquitto-copy.sh

#!/bin/sh

# This is an example deploy renewal hook for certbot that copies newly updated
# certificates to the Mosquitto certificates directory and sets the ownership
# and permissions so only the mosquitto user can access them, then signals
# Mosquitto to reload certificates.

# RENEWED_DOMAINS will match the domains being renewed for that certificate, so
# may be just "example.com", or multiple domains "www.example.com example.com"
# depending on your certificate.

# Place this script in /etc/letsencrypt/renewal-hooks/deploy/ and make it
# executable after editing it to your needs.

# Set which domain this script will be run for
MY_DOMAIN=example.com
# Set the directory that the certificates will be copied to.
CERTIFICATE_DIR=/etc/mosquitto/certs

if [ "${RENEWED_DOMAINS}" = "${MY_DOMAIN}" ]; then
	# Copy new certificate to Mosquitto directory
	cp ${RENEWED_LINEAGE}/fullchain.pem ${CERTIFICATE_DIR}/server.pem
	cp ${RENEWED_LINEAGE}/privkey.pem ${CERTIFICATE_DIR}/server.key

	# Set ownership to Mosquitto
	chown mosquitto: ${CERTIFICATE_DIR}/server.pem ${CERTIFICATE_DIR}/server.key

	# Ensure permissions are restrictive
	chmod 0600 ${CERTIFICATE_DIR}/server.pem ${CERTIFICATE_DIR}/server.key

	# Tell Mosquitto to reload certificates and configuration
	pkill -HUP -x mosquitto
fi
Breaking: Drop privileges after loading the configuration This change means privileges are dropped before loading certificates, starting logging, creating the pid file etc. are carried out, so all of those actions must now be changed to ensure that the unprivileged user can carry them out. 2020-11-05 12:05:07 +00:00			`#!/bin/sh`

			`# This is an example deploy renewal hook for certbot that copies newly updated`
			`# certificates to the Mosquitto certificates directory and sets the ownership`
			`# and permissions so only the mosquitto user can access them, then signals`
			`# Mosquitto to reload certificates.`

			`# RENEWED_DOMAINS will match the domains being renewed for that certificate, so`
			`# may be just "example.com", or multiple domains "www.example.com example.com"`
			`# depending on your certificate.`

Fix letsencrypt instruction typo. Closes #1939. Thanks to Frank Tegtmeyer. 2020-12-09 21:28:38 +00:00			`# Place this script in /etc/letsencrypt/renewal-hooks/deploy/ and make it`
Breaking: Drop privileges after loading the configuration This change means privileges are dropped before loading certificates, starting logging, creating the pid file etc. are carried out, so all of those actions must now be changed to ensure that the unprivileged user can carry them out. 2020-11-05 12:05:07 +00:00			`# executable after editing it to your needs.`

Simplify editing needs of the letsencrypt hook script. 2021-06-10 10:05:23 +00:00			`# Set which domain this script will be run for`
Fix letsencrypt case when RENEWED_DOMAINS is empty. 2021-06-10 10:55:01 +00:00			`MY_DOMAIN=example.com`
Simplify editing needs of the letsencrypt hook script. 2021-06-10 10:05:23 +00:00			`# Set the directory that the certificates will be copied to.`
			`CERTIFICATE_DIR=/etc/mosquitto/certs`

Fix letsencrypt case when RENEWED_DOMAINS is empty. 2021-06-10 10:55:01 +00:00			`if [ "${RENEWED_DOMAINS}" = "${MY_DOMAIN}" ]; then`
Breaking: Drop privileges after loading the configuration This change means privileges are dropped before loading certificates, starting logging, creating the pid file etc. are carried out, so all of those actions must now be changed to ensure that the unprivileged user can carry them out. 2020-11-05 12:05:07 +00:00			`# Copy new certificate to Mosquitto directory`
Simplify editing needs of the letsencrypt hook script. 2021-06-10 10:05:23 +00:00			`cp ${RENEWED_LINEAGE}/fullchain.pem ${CERTIFICATE_DIR}/server.pem`
			`cp ${RENEWED_LINEAGE}/privkey.pem ${CERTIFICATE_DIR}/server.key`
Breaking: Drop privileges after loading the configuration This change means privileges are dropped before loading certificates, starting logging, creating the pid file etc. are carried out, so all of those actions must now be changed to ensure that the unprivileged user can carry them out. 2020-11-05 12:05:07 +00:00
			`# Set ownership to Mosquitto`
Simplify editing needs of the letsencrypt hook script. 2021-06-10 10:05:23 +00:00			`chown mosquitto: ${CERTIFICATE_DIR}/server.pem ${CERTIFICATE_DIR}/server.key`
Breaking: Drop privileges after loading the configuration This change means privileges are dropped before loading certificates, starting logging, creating the pid file etc. are carried out, so all of those actions must now be changed to ensure that the unprivileged user can carry them out. 2020-11-05 12:05:07 +00:00
			`# Ensure permissions are restrictive`
Simplify editing needs of the letsencrypt hook script. 2021-06-10 10:05:23 +00:00			`chmod 0600 ${CERTIFICATE_DIR}/server.pem ${CERTIFICATE_DIR}/server.key`
Breaking: Drop privileges after loading the configuration This change means privileges are dropped before loading certificates, starting logging, creating the pid file etc. are carried out, so all of those actions must now be changed to ensure that the unprivileged user can carry them out. 2020-11-05 12:05:07 +00:00
			`# Tell Mosquitto to reload certificates and configuration`
			`pkill -HUP -x mosquitto`
			`fi`