docs: Expand certificate section on the install guide

The install guide mentions that the `certs/` directory can be symlinked, but doesn't cover permissions much, so it's easy for users to be confused (like it happened in https://github.com/albertito/chasquid/issues/26). This patch adds a bit more details on how to set up certificates, to hopefully reduce the chances of confusion.
2025-12-16 14:27:01 +00:00 · 2022-02-27 10:14:08 +00:00
parent d7ca50c3e0
commit 8083e27441
1 changed files with 20 additions and 5 deletions
--- a/docs/install.md
+++ b/docs/install.md
@@ -71,12 +71,27 @@ structure:
  ...
 ```

-Note the certs/ directory layout matches the one from certbot,
-[letsencrypt](https://letsencrypt.org)'s
-default client, so you can just symlink `certs/` to `/etc/letsencrypt/live`.
+### Certificates

-Make sure the user you use to run chasquid under ("mail" in the example
-config) can access the certificates and private keys.
+The certs/ directory layout matches the one from
+[certbot](https://certbot.eff.org/),
+[letsencrypt](https://letsencrypt.org)'s
+default client, to make it easier to integrate.
+
+A convenient way to set this up is:
+
+1) Obtain TLS certificates using `certbot` as needed.
+2) Symlink chasquid's `certs/` to `/etc/letsencrypt/live`:\
+   `sudo ln -s /etc/letsencrypt/live/ /etc/chasquid/certs`
+3) Give chasquid permissions to read the certificates:\
+   `sudo setfacl -R -m u:chasquid:rX /etc/letsencrypt/{live,archive}`
+4) Set up [automatic renewal] to restart chasquid when certificates are
+   renewed.
+
+Please see the [how-to guide](howto.md#tls-certificate) for more detailed
+examples.
+
+[automatic renewal]: https://eff-certbot.readthedocs.io/en/stable/using.html#setting-up-automated-renewal


 ### Adding users