It would be nice when mounting certificates from LetsEncrypt to resolve the symlinks in that directory structure and to automatically rotate the certificate after it has been updated.
Not exactly sure what this entails. soju just opens the certificates without doing anything special (which means symlinks should work just fine…).
soju won't reload certificates on its own, it will reload them when its config file is reloaded (SIGHUP). I don't want to watch the certificates or config file, because this is dangerous in production (the files might be half-written, the administrator might want to double-check or make multiple changes before reloading, etc).
Soju currently does not resolve symlinks. At least it didn’t for me running in docker. Specifically:
docker-compose.yaml
configs: soju: file: soju-config services: soju: container_name: soju image: codeberg.org/emersion/soju:latest ports: - 6697:6697 configs: - source: soju target: /soju-config volumes: - /etc/letsencrypt:/etc/letsencrypt:ro - ./data:/opt/sojusoju-config
listen ircs:// listen unix+admin:// tls /etc/letsencrypt/archive/example.com/fullchain28.pem /etc/letsencrypt/archive/example.com/privkey28.pem hostname 127.0.0.1 db sqlite3 /opt/soju/soju.db message-store db enable-user-on-auth false
readlink /etc/letsencrypt/live/example.com/fullchain.pem
../../archive/example.com/live/fullchain28.pem
I can’t do
tis /etc/letsencrypt/live/example.com/fullchain.pem
or it will complain about being unable to load the cert because that file is a symlink. This makes it difficult to use certbot’s automated certificate renewal because the live certificate is a symlink to the latest certificate in the archive.Regarding reloading the certificates on its own; I didn’t know that a SIGHUP will reload everything (including certs), so that will resolve that problem. More than easy enough to just tack that onto my cron job.
On 3 Jan 2025, at 19:18, ~emersion outgoing@sr.ht wrote:
Not exactly sure what this entails. soju just opens the certificates without doing anything special (which means symlinks should work just fine…).
soju won't reload certificates on its own, it will reload them when its config file is reloaded (SIGHUP). I don't want to watch the certificates or config file, because this is dangerous in production (the files might be half-written, the administrator might want to double-check or make multiple changes before reloading, etc).
-- View on the web: https://todo.sr.ht/~emersion/soju/240#event-402678