Skip to content

Using certbot with securityspy

edited September 7 in SecuritySpy

This time last year we got a 1 year certificate for our securityspy server, and sure enough the renewal email wasn't sent to me (and I forgot to renew the cert).

Multi year certificates are a thing of the past, so I decided it's time to automate this.

Initial setup (the parts which might take some time:

# Install brew via instructions on the homebrew site:

# Install certbot for use with letsencrypt
brew install certbot

Now for the certificate itself.

# Assign a variable for later use

# setup certbot to create an rsa formatted key, like SecuritySpy wants
sudo certbot certonly --key-type rsa --standalone -d $web_fqdn 
# Loosen file permissions on certbot's files
sudo chmod 0755 /etc/letsencrypt/{live,archive}
sudo chgrp $(id -gn) /etc/letsencrypt/live/$web_fqdn/privkey.pem 
sudo chmod 0640 /etc/letsencrypt/live/$web_fqdn/privkey.pem
# create symlinks to that SecuritySpy can find the files it wants
# if these fail, move any existing ssl components out of the way and try again
ln -s /etc/letsencrypt/live/$web_fqdn/chain.pem $HOME/SecuritySpy/ca-bundle.crt
ln -s /etc/letsencrypt/live/$web_fqdn/privkey.pem $HOME/SecuritySpy/server.key
ln -s /etc/letsencrypt/live/$web_fqdn/cert.pem $HOME/SecuritySpy/server.crt
# setup certbot to run automatically (via cron as currently suggtested by letsencrypt)
echo "0 0,12 * * * root $(command -v python3) -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo $(command -v certbot) renew -q" | sudo tee -a /etc/crontab > /dev/null

There's a few assumptions I'm making here:

  • You're logged in as the user running SecuritySpy
  • Port 80 is forwarded to this server, nothing else is using port 80
  • if these aren't true, the simplest solution IMO is to use a dns plugin, but it's outside the scope of this post
  • you don't care about the fact you're leaving the private key readable to users logged in to this computer

The only part I don't have automated is how to tell SecuritySpy to reload the files. Clearly the "auto restart daily" option would do the trick, as would sending a `killall` & relaunch.

I'd love some pointers for this last mile.. a script I could put in to certbot's `renewal-hooks/deploy` or some other idea


  • I presume you're using this method so that you can use your own domain name, instead of SecuritySpy's "" domain? This is a valid use case, however just to clarify for other users: if you set up your own "" address for SecuritySpy under Settings > Web, SecuritySpy will automatically create and maintain valid SSL certificates for you, so you won't have to use certbot or any other method.

    it's also worth nothing that for users who want to use their own domain name, our Certy utility provides a very easy way to do this.

    When using certbot or Certy, nothing needs to be done to tell SecuritySpy that a new certificate is available - it checks for changes to the certificate at ~/SecuritySpy/server.crt every 10 minutes, and will load the new one automatically.

  • edited September 7

    Correct.. I needed to use a "vanity" url in a particular domain name.

    I looked at Certy, but it seems I need to change DNS providers. While it's possible to use Zonomi for just one FQDN, it's not a typical dns configuration, and I didn't feel like creating yet another account for another service (even if it is free for one domain).

    Thanks for the info about SecuritySpy auto-refreshing its certificates.. I'm constantly impressed by the "little nice things" baked in to SecuritySpy.. bravo.

    So, to anyone reading my initial post: that part about the "last mile" is already handled within SecuritySpy.

    Of note, the "hard parts" here are:

    • Knowing to add --key-type rsa to the certbot command, bc SecuritySpy is expecting a key in RSA format
    • Knowing which filenames certbot uses, and how they map to what SS uses (this is handled in the symlink creation I documented above)
  • That makes sense - if you want to use your own domain, and don't want to change DNS providers, then certbot is the way to go.

    Thanks for your kind words about the software!

  • Thanks for the reminder about renewals with certbot. I'm still manual, but that chron command is going to be helpful.

Sign In or Register to comment.