~emersion/soju#240: 
[Feature Request] Resolve symlinks on TLS cert path

It would be nice when mounting certificates from LetsEncrypt to resolve the symlinks in that directory structure and to automatically rotate the certificate after it has been updated.

Status
REPORTED
Submitter
Greg Linklater
Assigned to
No-one
Submitted
23 days ago
Updated
19 days ago
Labels
No labels applied.

~emersion 19 days ago

Not exactly sure what this entails. soju just opens the certificates without doing anything special (which means symlinks should work just fine…).

soju won't reload certificates on its own, it will reload them when its config file is reloaded (SIGHUP). I don't want to watch the certificates or config file, because this is dangerous in production (the files might be half-written, the administrator might want to double-check or make multiple changes before reloading, etc).

Greg Linklater 19 days ago · edit

Soju currently does not resolve symlinks. At least it didn’t for me running in docker. Specifically:

docker-compose.yaml

configs:
  soju:
    file: soju-config

services:
  soju:
    container_name: soju
    image: codeberg.org/emersion/soju:latest
    ports:
      - 6697:6697
    configs:
      - source: soju
        target: /soju-config
    volumes:
      - /etc/letsencrypt:/etc/letsencrypt:ro
      - ./data:/opt/soju

soju-config

listen ircs://
listen unix+admin://
tls /etc/letsencrypt/archive/example.com/fullchain28.pem /etc/letsencrypt/archive/example.com/privkey28.pem
hostname 127.0.0.1
db sqlite3 /opt/soju/soju.db
message-store db
enable-user-on-auth false

readlink /etc/letsencrypt/live/example.com/fullchain.pem

../../archive/example.com/live/fullchain28.pem

I can’t do tis /etc/letsencrypt/live/example.com/fullchain.pem or it will complain about being unable to load the cert because that file is a symlink. This makes it difficult to use certbot’s automated certificate renewal because the live certificate is a symlink to the latest certificate in the archive.

Regarding reloading the certificates on its own; I didn’t know that a SIGHUP will reload everything (including certs), so that will resolve that problem. More than easy enough to just tack that onto my cron job.

On 3 Jan 2025, at 19:18, ~emersion outgoing@sr.ht wrote:

Not exactly sure what this entails. soju just opens the certificates without doing anything special (which means symlinks should work just fine…).

soju won't reload certificates on its own, it will reload them when its config file is reloaded (SIGHUP). I don't want to watch the certificates or config file, because this is dangerous in production (the files might be half-written, the administrator might want to double-check or make multiple changes before reloading, etc).

-- View on the web: https://todo.sr.ht/~emersion/soju/240#event-402678

Greg Linklater referenced this from #240 19 days ago

Register here or Log in to comment, or comment via email.