Hi Jesse, Nigel,
> Only the nnrpd process that uses the -S flag needs to be restarted. I use the
> following post-renewal hook for letsencrypt, it is simple but it works.
Are you sure that hook is really needed? When not restarting nnrpd,
running as a daemon, after a renewal of certificate, did you find an issue?
I'm also using Let's Encrypt certificates, automatically renewed by
Certbot, and I do not restart nnrpd. When a new connection arrives for
a news client, nnrpd forks and it is that fork which reads the
certificates, and therefore will take into account the new one. The
running daemon does not have them in memory.
Same thing as readers.conf by the way: you don't have to restart the
nnrpd daemon to take a change in readers.conf into account.
FWIW, my configuration with a 3072-bit RSA key (seems like what will be
the most widely supported by clients):
% cat news.trigofacile.com.conf
version = 1.12.0
archive_dir = /etc/letsencrypt/archive/
news.trigofacile.com
cert = /etc/letsencrypt/live/
news.trigofacile.com/cert.pem
privkey = /etc/letsencrypt/live/
news.trigofacile.com/privkey.pem
chain = /etc/letsencrypt/live/
news.trigofacile.com/chain.pem
fullchain = /etc/letsencrypt/live/
news.trigofacile.com/fullchain.pem
[renewalparams]
account = xxx
key_type = rsa
authenticator = standalone
server =
https://acme-v02.api.letsencrypt.org/directory
rsa_key_size = 3072
And inn.conf:
tlscapath: /etc/letsencrypt/live/
news.trigofacile.com
tlscertfile: /etc/letsencrypt/live/
news.trigofacile.com/fullchain.pem
tlskeyfile: /etc/letsencrypt/live/
news.trigofacile.com/privkey.pem
Make sure that the permission rights are properly set so that the news
user or the news group can read these *directories* and *files*, and
that the private key is not world-readable.
--
Julien ÉLIE
« Prouidentia, dum ortum ante obitum ponit, sapienter fecit, sin autem
quid uitae sit notum ? » (Alphonse Allais)