spec.md 1.0 KB
MODIFIED Requirements
Requirement: TLS certificate is provisioned via Let's Encrypt
The trojan role SHALL use certbot to obtain a TLS certificate for the landing server's domain, with automatic renewal. After provisioning or renewal, the certificate and key SHALL be copied to a trojan-owned directory (/etc/trojan-go/tls/) so the service user can read them. The certbot deploy-hook SHALL be placed in /etc/letsencrypt/renewal-hooks/post/ for automatic execution.
Scenario: Certificate provisioning
- WHEN the trojan role runs with a configured domain name
- THEN certbot obtains a TLS certificate for that domain
- THEN the certificate and key are copied to
/etc/trojan-go/tls/owned by the trojan user
Scenario: Certificate auto-renewal
- WHEN the certificate is within 30 days of expiry
- THEN certbot renews it automatically via systemd timer or cron
- THEN a deploy-hook in
/etc/letsencrypt/renewal-hooks/post/copies the renewed certs to/etc/trojan-go/tls/ - THEN the Trojan service is reloaded after renewal