spec.md 1.4 KB
MODIFIED Requirements
Requirement: TLS certificate is provisioned via Let's Encrypt
The trojan role SHALL use certbot to obtain a TLS certificate for the domain configured on each individual host. The trojan role SHALL ensure port 80 is allowed through UFW before attempting certificate provisioning. After provisioning or renewal, the certificate and key SHALL be copied to /etc/trojan-go/tls/ so the service user can read them.
Scenario: Certificate provisioning with UFW allowing port 80
- WHEN the trojan role runs on a host with
trojan_domainconfigured - THEN port 80 is allowed through UFW before certbot attempts ACME validation
- THEN certbot obtains a TLS certificate for the configured domain
- THEN the certificate and key are copied to
/etc/trojan-go/tls/owned by the trojan service user
Scenario: Certificate provisioning on a second host with different domain
- WHEN the trojan role runs on a host with
trojan_domain: "proxy2.example.com" - THEN certbot obtains a TLS certificate for
proxy2.example.com - THEN the certificate is independent from other hosts
Scenario: Certificate auto-renewal
- WHEN the certificate is within 30 days of expiry
- THEN certbot renews it automatically
- THEN a deploy-hook copies the renewed certs to
/etc/trojan-go/tls/ - THEN the Trojan service is reloaded after renewal