dylan8902 · dylan8902 · Aug 18, 2025 · Aug 18, 2025
diff --git a/.gitignore b/.gitignore
@@ -32,6 +32,7 @@ config/secrets.yml
 /public/packs
 /public/packs-test
 /public/assets
+/public/.well-known/acme-challenge
 /node_modules
 /yarn-error.log
 yarn-debug.log*

diff --git a/BUILD.md b/BUILD.md
@@ -121,14 +121,18 @@ certbot certonly \
   --agree-tos \
   --email dyl@anjon.es \
   --manual \
-  --preferred-challenges dns \
+  --preferred-challenges http \
   --expand \
   --renew-by-default \
   -d dyl.anjon.es \
   -d ismytraindelayed.com \
   -d isitaproxyproblem.com \
   -d dylanjones.info \
   -d alice-jones.co.uk
+
+# Copy each verification to the public dir
+echo "" > /home/rails/public/.well-known/acme-challenge/
+
 rm dyl.anjon.es.key.old
 rm dyl.anjon.es.crt.old
 cp dyl.anjon.es.crt dyl.anjon.es.crt.old

diff --git a/app/controllers/static_pages_controller.rb b/app/controllers/static_pages_controller.rb
@@ -154,6 +154,7 @@ def webfinger
   # GET /cron.json
   # GET /cron.xml
   def cron
+    Certificate.renew
     Track.update
     PringlesPrice.update
     Gig.update

diff --git a/app/models/certificate.rb b/app/models/certificate.rb
@@ -0,0 +1,78 @@
+require 'openssl'
+require 'fileutils'
+
+
+class Certificate
+
+  def self.renew
+    begin
+      current_cert = OpenSSL::X509::Certificate.new(File.read('/etc/website.crt'))
+
+      if current_cert.not_after > 1.month.from_now
+        Rails.logger.info "Certificate is valid for at least another month (#{current_cert.not_after})"
+        return
+      end
+
+      Rails.logger.info "Renewing certificate"
+
+      private_key = OpenSSL::PKey.read(File.read('/etc/website.key'))
+
+      client = Acme::Client.new(private_key: private_key, directory: 'https://acme-v02.api.letsencrypt.org/directory')
+      account = client.new_account(contact: 'mailto:dyl@anjon.es', terms_of_service_agreed: true)
+
+      domains = [
+        'dyl.anjon.es',
+        'ismytraindelayed.com',
+        'isitaproxyproblem.com',
+        'dylanjones.info',
+        'alice-jones.co.uk'
+      ]
+
+      order = client.new_order(identifiers: domains)
+
+      Rails.logger.info "Removing old challenges"
+      FileUtils.rm_r "public/.well-known/acme-challenge"
+
+      order.authorizations.each do |auth|
+        challenge = auth.http
+        file_path = "public/#{challenge.filename}"
+        dir_path = File.dirname file_path
+        FileUtils.mkdir_p dir_path
+
+        Rails.logger.info "Writing challenge #{file_path}"
+        File.write(file_path, challenge.file_content)
+        challenge.request_validation
+
+        timeout = 30
+        until challenge.status != 'pending' or timeout == 0
+          challenge.reload
+          sleep(2)
+          timeout -= 2
+        end
+      end
+
+      csr = Acme::Client::CertificateRequest.new(names: domains, subject: { common_name: domains.first })
+      order.finalize(csr: csr)
+
+      timeout = 30
+      until order.status != 'processing' or timeout == 0
+        order.reload
+        sleep(1)
+        timeout -= 1
+      end
+
+      Rails.logger.info "Writing new certificate"
+      File.write('/etc/website.crt', order.certificate)
+
+      Rails.logger.info "Reloading nginx"
+      if system('sudo systemctl reload nginx')
+        Rails.logger.info("Reloaded nginx successfully")
+      else
+        Rails.logger.error "Reload of nginx failed. Status #{$?.exitstatus}"
+      end
+    end
+  rescue Exception => e
+    Rails.logger.error "Failed to renew certificate"
+    Rails.logger.error e.message
+  end
+end
diff --git a/app/models/go_daddy_dns.rb b/app/models/go_daddy_dns.rb
diff --git a/bin/deploy b/bin/deploy
@@ -13,6 +13,8 @@ yarn install
 rake assets:precompile RAILS_ENV=production
 bin/webpack
 cp config/server/unicorn /etc/default/unicorn
+cp config/server/nginx /etc/nginx/sites-enabled/default
 chown -R rails /home/rails
 chgrp -R www-data /home/rails
 service unicorn restart
+systemctl reload nginx
diff --git a/config/secrets.yml.example b/config/secrets.yml.example
@@ -21,8 +21,6 @@ defaults: &defaults
   database_password:
   redis_password:
   is_my_train_delayed_page_key:
-  go_daddy_key:
-  go_daddy_secret:
 
 development:
   <<: *defaults

diff --git a/config/server/default b/config/server/default
@@ -34,8 +34,8 @@ server {
   listen [::]:443 ssl http2;
   root /home/rails/public;
   server_name dyl.anjon.es;
-  ssl_certificate /root/dyl.anjon.es.crt;
-  ssl_certificate_key /root/dyl.anjon.es.key;
+  ssl_certificate /etc/website.crt;
+  ssl_certificate_key /etc/website.key;
   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
   ssl_prefer_server_ciphers on;