using existing let's encrypt certificates

[Becker884]

Hi, I´m using certbot / let's encrypt for my nginx webserver.
I use these certificates also for FlashMQ websockets:

allow_anonymous true

mosquitto_acl_file /home/pi/acl
mosquitto_password_file /home/pi/passwd

listen {
  protocol mqtt
}

listen {
  protocol websockets
}

listen {
  protocol websockets
  fullchain /etc/letsencrypt/live/mydomain.de/fullchain.pem
  privkey /etc/letsencrypt/live/mydomain.de/privkey.pem
}

FlashMQ has access to the folder (unlike to mosquitto) - very nice.
(no need of this )

every few month the certificates will be renewed by certbot.

Question:
Is it necessary to reload FlashMQ, after cerbot has renewed them?

[halfgaar]

FlashMQ has access to the folder (unlike to mosquitto) - very nice.

There are downsides to that, but let's ignore that for now...

But yes, a reload is required. You can easily put systemctl reload flashmq in the certbot's post-deploy hook. The reload itself is harmless; no-one will be kicked out or anything.

It would be good if I extend the Let's Encrypt example on the website with it. I can have look soon, but you will probably be faster finding out yourself before I get to it.

[Becker884]

i´ve put just a flashmq.sh in "/etc/letsencrypt/renewal-hooks/deploy/" with "systemctl reload flashmq", rights / owner:
rwxr-xr-x root root
is this sufficient ?

I'm a little confused by the mosquitto script:
MY_DOMAIN=example.com ... for D in ${RENEWED_DOMAINS}; do if [ "${D}" = "${MY_DOMAIN}" ]; then
my domain + D is necassary ?

[halfgaar]

That should suffice, yes.

The Mosquitto example is just for when there are more domains on the server; that it's only reloaded when the domain is actually for your mqtt server. If you only have one domain, your script is fine. And, an occasional extra reload is also not a problem.

[halfgaar]

It looks like you're all set. Closing the thread.