From owner-freebsd-security@freebsd.org Sun Sep 8 14:58:44 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 10EA6F5759 for ; Sun, 8 Sep 2019 14:58:44 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46RDvQ6Mvqz40By for ; Sun, 8 Sep 2019 14:58:42 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=Message-ID:Subject:To:From:Date:In-Reply-To; bh=ElFjhKWcYajBX09ULdLTwnWr02QMdzhESLNeQvP1WNQ=; b=ErbFPLxuBUPzzF4VjHK1jt7eCB 9ye4Hd8bw6uI3EzBikgaIxLyQyU3r729WZpiE/XaBTB5fJWhUsv/sWkvU4aJoxsd49xfVujsG/mEO KOm8p51+NU+yBlfEtNgaQ4XV7GZN0lPturvF/H7UONgbUPdltEmQrULrc8WdDu2W76TA=; Received: from vas by admin.sibptus.ru with local (Exim 4.92.1 (FreeBSD)) (envelope-from ) id 1i6yeB-000HWF-2S for freebsd-security@freebsd.org; Sun, 08 Sep 2019 21:58:35 +0700 Date: Sun, 8 Sep 2019 21:58:35 +0700 From: Victor Sudakov To: freebsd-security@freebsd.org Subject: Let's Encrypt Message-ID: <20190908145835.GA67269@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3V7upXqbjpZ4EhLz" Content-Disposition: inline X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.12.1 (2019-06-15) Sender: Victor Sudakov X-Rspamd-Queue-Id: 46RDvQ6Mvqz40By X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=ErbFPLxu; dmarc=none; spf=pass (mx1.freebsd.org: domain of vas@mpeks.tomsk.su designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@mpeks.tomsk.su X-Spamd-Result: default: False [-8.63 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[tomsk.su]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE(-3.04)[ip: (-9.56), ipnet: 2001:19f0:5000::/38(-4.78), asn: 20473(-0.79), country: US(-0.05)]; DKIM_TRACE(0.00)[sibptus.ru:+]; NEURAL_HAM_SHORT(-0.99)[-0.991,0]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Sep 2019 14:58:44 -0000 --3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dear Colleagues, Which client is now recommended to work with Let's Encrypt?=20 I see numerous clients in the ports tree, some deleted, some renamed... Which one is good? --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --3V7upXqbjpZ4EhLz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJddRcbAAoJEA2k8lmbXsY03D0H/1CNltvTCRVyKmutNfSGbAGZ jnocw9MCISmMKjINR8LZhZR0WWKch3oYTZ6pROMwftUr/HQsaQZEtza1q5r9Wdxd etsJPxzDGnERF6WmlL2eitjok0JhEV2H7EuUGjEgS009jrwkgWV7tK5feGjxdWcP vn0rD6BWCyfmgj4FI6+8lDhzTPIhGLGL/Bx9kvFqDENMXxgP3sqcJW3gwJ61WzIA PL7EU+dCKAFwxBzLblb58oXFosWZep5Dq2XWlVBmnda4WV+I4YUDbSEC/dNLJgRF AMgqfd4KvsnNEBvppiYfnWFhEOSpkTN2Nn9N7G3gSNtss5KAX5jtPUkQsQn68yc= =lRkn -----END PGP SIGNATURE----- --3V7upXqbjpZ4EhLz-- From owner-freebsd-security@freebsd.org Sun Sep 8 17:11:18 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BA230D5526 for ; Sun, 8 Sep 2019 17:11:18 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (net-2-44-121-52.cust.vodafonedsl.it [2.44.121.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mailserver.netfence.it", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46RHrN6R2Hz3HVj for ; Sun, 8 Sep 2019 17:11:16 +0000 (UTC) (envelope-from ml@netfence.it) Received: from alamar.ventu (alamar.local.netfence.it [10.1.2.18]) (authenticated bits=0) by soth.netfence.it (8.15.2/8.15.2) with ESMTPSA id x88GGm7i084781 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sun, 8 Sep 2019 18:16:51 +0200 (CEST) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host alamar.local.netfence.it [10.1.2.18] claimed to be alamar.ventu Subject: Re: Let's Encrypt To: Victor Sudakov , freebsd-security@freebsd.org References: <20190908145835.GA67269@admin.sibptus.ru> From: Andrea Venturoli Message-ID: <420387ba-e607-6eff-6413-a2585fd8baac@netfence.it> Date: Sun, 8 Sep 2019 18:16:48 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.1.0 MIME-Version: 1.0 In-Reply-To: <20190908145835.GA67269@admin.sibptus.ru> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 46RHrN6R2Hz3HVj X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of ml@netfence.it has no SPF policy when checking 2.44.121.52) smtp.mailfrom=ml@netfence.it X-Spamd-Result: default: False [-2.87 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; IP_SCORE(-1.77)[ip: (-5.73), ipnet: 2.44.0.0/16(-2.87), asn: 30722(-0.28), country: IT(0.03)]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; DMARC_NA(0.00)[netfence.it]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:30722, ipnet:2.44.0.0/16, country:IT]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Sep 2019 17:11:18 -0000 On 2019-09-08 16:58, Victor Sudakov wrote: > Dear Colleagues, > > Which client is now recommended to work with Let's Encrypt? > > I see numerous clients in the ports tree, some deleted, some renamed... > Which one is good? I'm happy with acme.sh. Don't know about the others. bye av. From owner-freebsd-security@freebsd.org Mon Sep 9 03:06:30 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7A1FCEB822 for ; Mon, 9 Sep 2019 03:06:30 +0000 (UTC) (envelope-from reshadpatuck1@gmail.com) Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46RY392bSKz4Pwb for ; Mon, 9 Sep 2019 03:06:29 +0000 (UTC) (envelope-from reshadpatuck1@gmail.com) Received: by mail-pf1-x441.google.com with SMTP id s12so8228229pfe.6 for ; Sun, 08 Sep 2019 20:06:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:in-reply-to:references:mime-version:content-transfer-encoding :subject:to:from:message-id; bh=xKUM0CxgZ+QEKaIh5lOS9wHaeBE3M19kiSMwM6qkFkc=; b=t1XVIaIg6wrux4xEYMEbp8ywP04Ok2tRQM58gN4rEHprbKTwfKqGC7kuocP9S+cvyW 8dRZy80+yJZNOyzyfTnmHB9Pp7w11ThGYDGXcdu1SmqRVh1yYTMshNokg/0ZUJGxvETB CQp/tFKZaDj2FfscjtnHk9Y1D/S4dmZ6YpRIU6/eEp4J08yBwmQ+GyipmwlE4VUkH4Vh jG5b8eQjWrnghrjyg8OLobUkE25yZlPpaMx7JU6Njt0PcyXl1+MiGeftwrIzKeK5pu/L V3JMt+B5N3iBb5in0wj8GkWiIvujIlWiKXoB51vFzp3Gg5FhRSBhT8+0TcZW6B7fEAgN gafA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:references:mime-version :content-transfer-encoding:subject:to:from:message-id; bh=xKUM0CxgZ+QEKaIh5lOS9wHaeBE3M19kiSMwM6qkFkc=; b=CmtNAJYC0Hf4klJn6IQDvifoS9GcCpaHlW607kBU8IbjIq+uM6kvatv8IYgFCpkWMU 6QgOorIbpk7EWhU3jah6n4K6ic6m+Agv+7+CheIsIq2mVe0T1sVOjRmhO5E0x4Tceuk5 ldvw163TogTdC5UHtO9auAvnHP/qzcHMGN2IYo5atbJ66kox0usSnb8g55Pm17s0HxvZ ty0w1tEnHKS6bapuZBwUEHI98NhYS/L/yB8bD09n/cJNSpZ9M4dpbtdB2JSUTya1+0t3 Hwx1xuAaioj9rbcrhSx2mQv+/uDEbyrPExlp6lJK52yzeFnDssWq3wJ8CHMW63npbdgX vSDw== X-Gm-Message-State: APjAAAUp5mxJ2MTv1iGuS9FrZCS5Hu2NP/7ly24a8hjF6k6h+RNMdZTv prDE9nBcwEv3O7S4NCJQniqP3wj9LJ4= X-Google-Smtp-Source: APXvYqzXyHm6Md+dqbQzgHVwpAcM4yr/UqIgyTvl9FtyqKSY+HWBp0Mx2NkGzYcSMvVGFO9GH3ioYQ== X-Received: by 2002:a63:4c46:: with SMTP id m6mr20172857pgl.59.1567998387307; Sun, 08 Sep 2019 20:06:27 -0700 (PDT) Received: from localhost ([2405:204:304:c59e:66dc:207d:5898:7067]) by smtp.gmail.com with ESMTPSA id f74sm24036180pfa.34.2019.09.08.20.06.26 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 08 Sep 2019 20:06:26 -0700 (PDT) Date: Mon, 09 Sep 2019 08:36:21 +0530 In-Reply-To: <420387ba-e607-6eff-6413-a2585fd8baac@netfence.it> References: <20190908145835.GA67269@admin.sibptus.ru> <420387ba-e607-6eff-6413-a2585fd8baac@netfence.it> MIME-Version: 1.0 Subject: Re: Let's Encrypt To: freebsd-security@freebsd.org, Andrea Venturoli , Victor Sudakov From: Reshad Patuck Message-ID: X-Rspamd-Queue-Id: 46RY392bSKz4Pwb X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=t1XVIaIg; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of reshadpatuck1@gmail.com designates 2607:f8b0:4864:20::441 as permitted sender) smtp.mailfrom=reshadpatuck1@gmail.com X-Spamd-Result: default: False [-2.00 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; URI_COUNT_ODD(1.00)[7]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(0.00)[ip: (-0.43), ipnet: 2607:f8b0::/32(-2.75), asn: 15169(-2.27), country: US(-0.05)]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[1.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Sep 2019 03:06:30 -0000 Hi, I've been using certbot for quite some time=2E No complaints here=2E https://www=2Efreshports=2Eorg/security/py-certbot/ Reshad On 8 September 2019 9:46:48 pm IST, Andrea Venturoli wr= ote: >On 2019-09-08 16:58, Victor Sudakov wrote: >> Dear Colleagues, >>=20 >> Which client is now recommended to work with Let's Encrypt? >>=20 >> I see numerous clients in the ports tree, some deleted, some >renamed=2E=2E=2E >> Which one is good? > >I'm happy with acme=2Esh=2E >Don't know about the others=2E > > bye > av=2E >_______________________________________________ >freebsd-security@freebsd=2Eorg mailing list >https://lists=2Efreebsd=2Eorg/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to >"freebsd-security-unsubscribe@freebsd=2Eorg" From owner-freebsd-security@freebsd.org Mon Sep 9 09:06:09 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CEA9EF2DA4 for ; Mon, 9 Sep 2019 09:06:09 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46Rj28614cz4fx1 for ; Mon, 9 Sep 2019 09:06:08 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=qk+tw4598sI/1w8XS05iiXTD2nnRVWBHLtBW9yHiE8c=; b=J1iY7zQKgyedm7RNodPYAf9D/o 2BQXrIJuvhhRueqtUZRnPdMJ7uMfzzB/EHsPBalbMceQ52w5o68bE20iW/mDUu4mwzfL1BuhPFxRL 14VKxiJEfQpQfnT0BnKSAJPtO7yI+F3PJUhMyghmLgbdYHrFKDofvKtI116udmfTQWxg=; Received: from vas by admin.sibptus.ru with local (Exim 4.92.1 (FreeBSD)) (envelope-from ) id 1i7Fcb-000PVg-Oi for freebsd-security@freebsd.org; Mon, 09 Sep 2019 16:06:05 +0700 Date: Mon, 9 Sep 2019 16:06:05 +0700 From: Victor Sudakov To: freebsd-security@freebsd.org Subject: Re: Let's Encrypt Message-ID: <20190909090605.GA97856@admin.sibptus.ru> References: <20190908145835.GA67269@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline In-Reply-To: <20190908145835.GA67269@admin.sibptus.ru> X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.12.1 (2019-06-15) Sender: Victor Sudakov X-Rspamd-Queue-Id: 46Rj28614cz4fx1 X-Spamd-Bar: ------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=J1iY7zQK; dmarc=none; spf=pass (mx1.freebsd.org: domain of vas@mpeks.tomsk.su designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@mpeks.tomsk.su X-Spamd-Result: default: False [-7.65 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[tomsk.su]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE(-3.05)[ip: (-9.59), ipnet: 2001:19f0:5000::/38(-4.79), asn: 20473(-0.80), country: US(-0.05)]; DKIM_TRACE(0.00)[sibptus.ru:+]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Sep 2019 09:06:09 -0000 --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Victor Sudakov wrote: >=20 > Which client is now recommended to work with Let's Encrypt?=20 >=20 > I see numerous clients in the ports tree, some deleted, some renamed... > Which one is good? It is interesting how several people advised different software: py-certbot, acme.sh, dehydrated. The majority is for py-certbot, so I'll probably use it. Thank you. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJddhX9AAoJEA2k8lmbXsY0g+IIAIBthTXNSDYTMfq9lYQX/wqG 9sytSuM+ovEGgRkhXCORfy6L3qTEKZfqHx+THMW9nxrisKNMTr/TH/mnJZQKBDax i4XcSuwuA68R5m66bTsGMhAULB+ltHysn8B6OSHazpK2PaRBWngsIjm3diZmBK1p qMKX7ZXjyn2D727umT+OJVfv8JpU4sUCvx9QHDz9XZshb0SU20SPp6avmkaFbEu1 yT2qjZ7ZaiwIUh2K8pj61r55Ubd9yGZJR7SgjMWtJIWD15dJNNq2xTvsaRo6+I7t LbmFq2KDP9JixftP2XnShsTOYnjfrxOfEuHlYR+gSL4nfV6KDRcEARkqVSxZozY= =Yzcp -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- From owner-freebsd-security@freebsd.org Mon Sep 9 10:13:14 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 69334F43D9 for ; Mon, 9 Sep 2019 10:13:14 +0000 (UTC) (envelope-from trond.endrestol@ximalas.info) Received: from enterprise.ximalas.info (enterprise.ximalas.info [IPv6:2001:700:1100:1::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ximalas.info", Issuer "Hostmaster ximalas.info" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 46RkWX6MJrz3GCR for ; Mon, 9 Sep 2019 10:13:12 +0000 (UTC) (envelope-from trond.endrestol@ximalas.info) Received: from enterprise.ximalas.info (Ximalas@localhost [127.0.0.1]) by enterprise.ximalas.info (8.15.2/8.15.2) with ESMTPS id x89ACuRb075694 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Mon, 9 Sep 2019 12:12:56 +0200 (CEST) (envelope-from trond.endrestol@ximalas.info) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ximalas.info; s=default; t=1568023976; bh=QxHM0dNA26k3hqkUDjKTNRGBgURgzv+OoCR9ZOvqZqU=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=M8DEzbHA3dybcpqTq7zcjgj4ZWB+sKZaIfYk/A8AdFQgZTYQ7O4uTAucxzIIWfYUz ZKRc6HG52rU1xDjHjApLHBrQ8+1y6WdMOjk1AFZllg31RlsreM3kKbeWS/H0L8cq8S kyQiF+NAQLmCW9ueW8ICs5edYmZOl5Vgq2I75srN/VWwYhlISMG6iGUwWmqUrNHoqo afNMsGvYgZ/hTOT/0ALjVhTII23ebyNXmO353UqohhdXJfbCk8DcRtj9T5oeE5N34E M48A9NSAFE4T1kJj/yrsRKF5p2X2gbhY0LjUnd9fhiAg8KiClBVfOdHfHONuPpZNSQ udVWX3C0s3PrA== Received: from localhost (trond@localhost) by enterprise.ximalas.info (8.15.2/8.15.2/Submit) with ESMTP id x89ACt7W075625; Mon, 9 Sep 2019 12:12:55 +0200 (CEST) (envelope-from trond.endrestol@ximalas.info) X-Authentication-Warning: enterprise.ximalas.info: trond owned process doing -bs Date: Mon, 9 Sep 2019 12:12:55 +0200 (CEST) From: =?UTF-8?Q?Trond_Endrest=C3=B8l?= Sender: Trond.Endrestol@ximalas.info To: Victor Sudakov cc: freebsd-security@freebsd.org Subject: Re: Let's Encrypt In-Reply-To: <20190909090605.GA97856@admin.sibptus.ru> Message-ID: References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> User-Agent: Alpine 2.21.99999 (BSF 352 2019-06-22) OpenPGP: url=http://ximalas.info/about/tronds-openpgp-public-key MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on enterprise.ximalas.info X-Rspamd-Queue-Id: 46RkWX6MJrz3GCR X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ximalas.info header.s=default header.b=M8DEzbHA; dmarc=pass (policy=none) header.from=ximalas.info; spf=pass (mx1.freebsd.org: domain of trond.endrestol@ximalas.info designates 2001:700:1100:1::8 as permitted sender) smtp.mailfrom=trond.endrestol@ximalas.info X-Spamd-Result: default: False [-4.67 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[ximalas.info:s=default]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[ximalas.info:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[ximalas.info,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:224, ipnet:2001:700::/32, country:NO]; IP_SCORE(-1.67)[ip: (-7.23), ipnet: 2001:700::/32(-0.66), asn: 224(-0.46), country: NO(-0.01)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Sep 2019 10:13:14 -0000 On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote: > The majority is for py-certbot, so I'll probably use it. Thank you. I have found it prudent to run certbot twice a month from cron(8), just to be safe. Last year, I had one case where the certificate expired a few hours before the next run of certbot. Had I run certbot on the 1st and on the 15th day of each month, then the certificates would have been updated ahead of their expiration. E.g.: #minute hour mday month wday who command 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" -- Trond. From owner-freebsd-security@freebsd.org Mon Sep 9 11:29:05 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 119A5F5F38 for ; Mon, 9 Sep 2019 11:29:05 +0000 (UTC) (envelope-from vbotka@gmail.com) Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46RmC40cNHz3LhJ for ; Mon, 9 Sep 2019 11:29:03 +0000 (UTC) (envelope-from vbotka@gmail.com) Received: by mail-wm1-x335.google.com with SMTP id t9so14207965wmi.5 for ; Mon, 09 Sep 2019 04:29:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:in-reply-to:references :organization:mime-version; bh=yyt6D7LJzIaTMK14Gjde9r46bBDG9jfxcxp6spbVonU=; b=PpEFiBmHlkH1D5VuhJk2SoKQmpTVRYburUgUuaeOyi1X2rBoLOLqgmjElrya8WsBg3 w9TepBZIpYAW1v3wVLdPXww1+W/BeTzGO1YResAt/uoL1VNjklIr0ZpSInlzB025LTC6 JY8UGDTNv9o/EuLJN9N6+I+sR/BM2KaTMA8tz88fN1TX4HyGBXs5ehXtHXfmsz3gdUqX Ynn3IiT8P20JOeMoo49GLBKTyBGsQuKepD1yEtkiVnZUxgAVxfmBdpPvvrY83zVlWnv9 /MU/cFxYTwoLklOms4w7NYxdS1CpVHXAiTJSl81fB/ujN1wjY7ipAx3INpb/qN7owkow g5sA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:organization:mime-version; bh=yyt6D7LJzIaTMK14Gjde9r46bBDG9jfxcxp6spbVonU=; b=HSBwIX9J6kEHwdg7ZoE/Cv4aa9NkFGkVXc5KR6MpaTXnenNkkyWC1i84L8vGBk6yEF XvUiu8Ff2oczEUohrs4ZGJADr7w3QEsyA9BsKaL7Tzjw9K4S+DEfDc2leAnNlHvFKvp3 +XlxJtfnLXt2/O3ZKC+dYoMxdd0ujXNtSMWAkG4JYnEcrhD3UrtU+flZossGzRPLHPiN gF9D+I9BXnG8O9sRXBwtV/1LWVQ7L5oC3jtASKSYylAeNcM5X+zP1zn9Eg7Eavexw3RT UtkMafvYM7C/7AIodsRUR3dB/LrDRcrMzHBM4dgliv9oCWqQFcj93/O8a4xNWUXyyMHq CrFA== X-Gm-Message-State: APjAAAW4d/W4WsnrUrYPgKEJ0tKWvaceW6VHVudBnZnfCpzwrYVXPyY/ IW+TdULecDi1yVpGh0sMK8DZMgZg X-Google-Smtp-Source: APXvYqwD5p+qVUCDwXLjlhiVR4YJ7uwSUQ+a+LhoGeNBYXgAqlfW03mM32VeN7Hyn8gkZeg0T1uOVg== X-Received: by 2002:a1c:1dd4:: with SMTP id d203mr19088694wmd.45.1568028542326; Mon, 09 Sep 2019 04:29:02 -0700 (PDT) Received: from localhost (92-245-202-144.satronet.sk. [92.245.202.144]) by smtp.gmail.com with ESMTPSA id l1sm15694244wrb.1.2019.09.09.04.28.58 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 09 Sep 2019 04:28:59 -0700 (PDT) Date: Mon, 9 Sep 2019 13:28:57 +0200 From: Vladimir Botka To: Trond =?UTF-8?B?RW5kcmVzdMO4bA==?= Cc: Victor Sudakov , freebsd-security@freebsd.org Subject: Re: Let's Encrypt Message-ID: <20190909132857.3059896a@gmail.com> In-Reply-To: References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> Organization: na X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/J/2KB2BG_mLclmP5fSkl1Ly"; protocol="application/pgp-signature" X-Rspamd-Queue-Id: 46RmC40cNHz3LhJ X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=PpEFiBmH; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of vbotka@gmail.com designates 2a00:1450:4864:20::335 as permitted sender) smtp.mailfrom=vbotka@gmail.com X-Spamd-Result: default: False [-5.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; HAS_ORG_HEADER(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(0.00)[ip: (-9.44), ipnet: 2a00:1450::/32(-2.97), asn: 15169(-2.27), country: US(-0.05)]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[5.3.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Sep 2019 11:29:05 -0000 --Sig_/J/2KB2BG_mLclmP5fSkl1Ly Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, 9 Sep 2019 12:12:55 +0200 (CEST) Trond Endrest=C3=B8l wrote: > On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote: >=20 > > The majority is for py-certbot, so I'll probably use it. Thank you. =20 >=20 > I have found it prudent to run certbot twice a month from cron(8),=20 > just to be safe. >=20 > Last year, I had one case where the certificate expired a few hours=20 > before the next run of certbot. Had I run certbot on the 1st and on=20 > the 15th day of each month, then the certificates would have been=20 > updated ahead of their expiration. >=20 > E.g.: >=20 > #minute hour mday month wday who command >=20 > 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" = --post-hook "service apache24 start" > 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop"= --post-hook "service apache24 start" I believe --dry-run renewal is encouraged. Both for testing on the development side and to be sure all is running well on the user's side. See "Help us test renewal with =E2=80=9Cletsencrypt renew=E2=80=9D https://community.letsencrypt.org/t/help-us-test-renewal-with-letsencrypt-r= enew/10562 Q. What=E2=80=99s the new --dry-run flag? A. The new --dry-run flag for both certonly and renew performs the certificate request(s) against the staging server, which issues test certificates that are not trusted by browsers. This verifies whether you=E2= =80=99re apparently able to get a certificate, in your current configuration, using the method that you specified (for example, if you were using webroot authentication, whether your webroot configuration is capable of being validated by the CA). With --dry-run, the certificates obtained are not actually saved to disk and your configuration is not updated. You can use this to simulate what would apparently happen if you ran the command without --dry-run. FWIW, here is the link to my wrappers for certbot (last update June 2018) https://github.com/vbotka/le-utils For example below is a fragment from crontab. 1) Daily send email with certificates that expire within 30 days. 2) Daily dry-run renew all certificates. 3) Daily renew certificates that expire within 30 days. #Ansible: check expiry of certificates 15 2 * * * /root/bin/leinfo -e --Days=3D30 -a #Ansible: dry-run renewal of certificates 20 2 * * * /root/bin/lectl -s -n -c -a #Ansible: renewal of certificates 20 3 * * * /root/bin/lectl -s -D=3D30 -c -a && /root/bin/lectl -s -p && /root/bin/leinfo -s -g -a If all is right I get only emails with the renewals. Cheers, -vlado --Sig_/J/2KB2BG_mLclmP5fSkl1Ly Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEbaThuYKQgbbmDrVkkNGZEo7UTwEFAl12N3kACgkQkNGZEo7U TwFZuggAt63/ZJCos/YhBXhz/3/rh9TO+Qq6Sw7FnqoF8Y9cZrdLOMlluc3gh/Hj LzfUDnWiHz4gaC3J6TPaDqKx3OHDCilh2vo8LR9wSpOVMU8goRjeR1VXA2nCN5Wm H/dnHu+Y/RKPf0PkO6CkEwRUJrmP94jeSZJf8a8LPThWW9jBF0UcUMfvC6KA5A+h cnxROCeMeF+EzuaWLBxx6zymA+WWMS/4HHhbVhiA4rMw++C+IAHdDUp2x72uDksN YFAnAJHtcWvNOGVidXLTpg5l6vxaUycEAcS0YHmvF7MiJhgm3edSxqzwxH91Q+u4 zXbnMm0cVJa4m89yNu9fveAi6sE5Cw== =fX+l -----END PGP SIGNATURE----- --Sig_/J/2KB2BG_mLclmP5fSkl1Ly-- From owner-freebsd-security@freebsd.org Mon Sep 9 11:51:02 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 45ADCF66D0 for ; Mon, 9 Sep 2019 11:51:02 +0000 (UTC) (envelope-from thomas.e.zander@googlemail.com) Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46RmhP1HDxz3MlN for ; Mon, 9 Sep 2019 11:51:00 +0000 (UTC) (envelope-from thomas.e.zander@googlemail.com) Received: by mail-pf1-x42c.google.com with SMTP id x127so8999762pfb.7 for ; Mon, 09 Sep 2019 04:51:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BpHj2z1WODE7z7Cz20n+R1SzeJuSyfuF8UUvguvNP4I=; b=GbLLD6JlVGZyNKQtv9ksk2wVxmhQzsjxzwuCiOMi1OXs+QtHoygLjr0lFAX2qdtBQ0 6PoUj5KWZb5DhdMdE70pV/JV21grlWZ6d1bhqOER/AA3bkh0aCn7W4uwc4bfhfjsL0SL K6TjHEHLKnLxrXdC6wIASW2LS8EnmYt/qr96UW17BUwsHUIEKfjvb566IVaJkGr7CYT8 47h7fRvsOHH1BEOyAE6mVJd3qL+UTx9YPKqGg67oRnb1kK9A5KiATqaXG116pgS77tps aDfSt4QWPJuea+RKDfikx+SM7NCwQrSgffy94+9eUqgAo7tNbISAXyKhPeFnRzs6yceX avqw== X-Gm-Message-State: APjAAAV93/WXdf9Zoa34mFJyodRlPf7SqlbsPqd/jXZZ4CcAPjFcBaFE dNrrqrcCpYBv6u+VDCt9LusL+G4mIOOJ65wKJFmQD66a X-Google-Smtp-Source: APXvYqyda7Ggw+1aU9IZcR3H+RlPhqWZ8LJzI9ObwrH7ACoc+hNfVCSZdnnhunfM80Xtwg3bvkITYoWR28sB/oZTVcc= X-Received: by 2002:a65:5c4b:: with SMTP id v11mr21553972pgr.62.1568029858969; Mon, 09 Sep 2019 04:50:58 -0700 (PDT) MIME-Version: 1.0 References: <20190908145835.GA67269@admin.sibptus.ru> In-Reply-To: <20190908145835.GA67269@admin.sibptus.ru> From: Thomas Zander Date: Mon, 9 Sep 2019 13:50:47 +0200 Message-ID: Subject: Re: Let's Encrypt To: Victor Sudakov Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 46RmhP1HDxz3MlN X-Spamd-Bar: -- X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[googlemail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[googlemail.com]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[googlemail.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[c.2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; IP_SCORE(0.00)[ip: (-9.25), ipnet: 2607:f8b0::/32(-2.74), asn: 15169(-2.27), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Sep 2019 11:51:02 -0000 On Sun, 8 Sep 2019 at 16:58, Victor Sudakov wrote: > Which client is now recommended to work with Let's Encrypt? > > I see numerous clients in the ports tree, some deleted, some renamed... > Which one is good? I use net/traefik as reverse proxy. It has Let's encrypt support built-in, see https://docs.traefik.io/configuration/acme/ Riggs From owner-freebsd-security@freebsd.org Mon Sep 9 12:26:26 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C8842D078F for ; Mon, 9 Sep 2019 12:26:26 +0000 (UTC) (envelope-from dan@langille.org) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46RnTF40sQz3QW5 for ; Mon, 9 Sep 2019 12:26:25 +0000 (UTC) (envelope-from dan@langille.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id AC7FB21B84 for ; Mon, 9 Sep 2019 08:26:23 -0400 (EDT) Received: from imap36 ([10.202.2.86]) by compute4.internal (MEProxy); Mon, 09 Sep 2019 08:26:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=O7/Pb Z1HZfxxfinUNBMg8Y7NGogyprxhgUzd0lS4fXE=; b=EHcAueubje9jO949t2Ti6 Q20rlMx0mX2oFNm4Ka8m/Tsgzi1pA48y81Epu3RUwJSRA2Wwgm/EEydWfEYKLr/2 WriPrQwREr3PUsI2HPn2fE/U/14luLblcgjpCLcB3RWMQTp3tODghTCLyREVSLKv 9J1gj8dSSKW3UMF9ItwVwDMV+kgZNeXbp46kU0l3Cbqiu50BkYrgl6FCMR5BYCC+ noJOKmGAbI9toL0SXZh3GeFxV6OG1ZbQF3PBSWitCmGmO4mn/iiRD3yW5tUJgr0a 3bzz5Gma3Ne82SEMmRIqPiYfTSWNxZe26r+G+6yRWsHU/C+GdjshTtHZvfZAccHu g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=O7/PbZ1HZfxxfinUNBMg8Y7NGogyprxhgUzd0lS4f XE=; b=U1VcuD7ZQBBy9RHL2BzSnABcAfyUiISsFs/kFTFyJwxozumtJC87Ld6pV RdZXa+jzbBKzYXIoSQs/QjsUwmhAfjQdPpRs1+IZjdr9Kso/JGSzdpHfi5mEqrCY 4IOrZkim3IUJww+miGnILL3bJlBSbVt9MRgPX55Yu6WrS2FwMOKrpYzIgloGPb0v nbWFYnFFjlHCiYw4LinzavrAwEKkf50VuERtY0IaaL7CQqrRv9bWoaWTZE9j4+Qz snYvCN431wNEvOO9F314snLZC3oPIcvQvzF75q1gJc/T1dsyP+Db9gHplxcm7x8V cTbr732q+NWe85jmmdvnc1TDJyT7w== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrudekiedghedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfffgr nhcunfgrnhhgihhllhgvfdcuoegurghnsehlrghnghhilhhlvgdrohhrgheqnecurfgrrh grmhepmhgrihhlfhhrohhmpegurghnsehlrghnghhilhhlvgdrohhrghenucevlhhushht vghrufhiiigvpedt X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 480E512200A2; Mon, 9 Sep 2019 08:26:23 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.1.7-188-g385deb1-fmstable-20190905v2 Mime-Version: 1.0 Message-Id: In-Reply-To: References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> Date: Mon, 09 Sep 2019 08:26:02 -0400 From: "Dan Langille" To: "Thomas Zander via freebsd-security" Subject: Re: Let's Encrypt Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 46RnTF40sQz3QW5 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=langille.org header.s=fm2 header.b=EHcAueub; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=U1VcuD7Z; dmarc=pass (policy=none) header.from=langille.org; spf=pass (mx1.freebsd.org: domain of dan@langille.org designates 66.111.4.25 as permitted sender) smtp.mailfrom=dan@langille.org X-Spamd-Result: default: False [-5.55 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[langille.org:s=fm2,messagingengine.com:s=fm3]; XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.25]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[4]; IP_SCORE(-3.46)[ip: (-9.74), ipnet: 66.111.4.0/24(-4.84), asn: 11403(-2.68), country: US(-0.05)]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[langille.org:+,messagingengine.com:+]; DMARC_POLICY_ALLOW(-0.50)[langille.org,none]; MV_CASE(0.50)[]; RCVD_IN_DNSWL_LOW(-0.10)[25.4.111.66.list.dnswl.org : 127.0.5.1]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; MID_RHS_WWW(0.50)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Sep 2019 12:26:26 -0000 On Mon, Sep 9, 2019, at 6:12 AM, Trond Endrest=C3=B8l wrote: > On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote: >=20 > > The majority is for py-certbot, so I'll probably use it. Thank you. >=20 > I have found it prudent to run certbot twice a month from cron(8),=20 > just to be safe. >=20 > Last year, I had one case where the certificate expired a few hours=20= > before the next run of certbot. Had I run certbot on the 1st and on=20= > the 15th day of each month, then the certificates would have been=20 > updated ahead of their expiration. >=20 > E.g.: >=20 > #minute hour mday month wday who command >=20 > 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24=20 > stop" --post-hook "service apache24 start" > 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24=20= > stop" --post-hook "service apache24 start" Whereas, I run acme.sh on a daily basis. My goal: renew certificates at = their earliest possibility. This gives me the maximum time to fix any is= sues. I combine the above with monitoring to raise alerts if any tickets have = less than 28 days left before they expire. Should the cert-renewal process not run on a given day, no big deal, it = runs the next day. I had considered running it less frequently, but sett= led on daily.=20 --=20 Dan Langille dan@langille.org From owner-freebsd-security@freebsd.org Mon Sep 9 12:30:27 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EEDFCD0AE3 for ; Mon, 9 Sep 2019 12:30:27 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (net-2-44-121-52.cust.vodafonedsl.it [2.44.121.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mailserver.netfence.it", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46RnYt3Brpz3Qpx for ; Mon, 9 Sep 2019 12:30:25 +0000 (UTC) (envelope-from ml@netfence.it) Received: from guardian.ventu (89-97-212-98.ip19.fastwebnet.it [89.97.212.98]) (authenticated bits=0) by soth.netfence.it (8.15.2/8.15.2) with ESMTPSA id x89CUF3w070197 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 9 Sep 2019 14:30:17 +0200 (CEST) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host 89-97-212-98.ip19.fastwebnet.it [89.97.212.98] claimed to be guardian.ventu Subject: Re: Let's Encrypt To: Dan Langille , Thomas Zander via freebsd-security References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> From: Andrea Venturoli Message-ID: <4fd6edce-5180-aab4-e265-bf30841d2065@netfence.it> Date: Mon, 9 Sep 2019 14:30:15 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.83 X-Rspamd-Queue-Id: 46RnYt3Brpz3Qpx X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of ml@netfence.it has no SPF policy when checking 2.44.121.52) smtp.mailfrom=ml@netfence.it X-Spamd-Result: default: False [-2.86 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; IP_SCORE(-1.76)[ip: (-5.69), ipnet: 2.44.0.0/16(-2.85), asn: 30722(-0.28), country: IT(0.03)]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; DMARC_NA(0.00)[netfence.it]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:30722, ipnet:2.44.0.0/16, country:IT]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Sep 2019 12:30:28 -0000 On 2019-09-09 14:26, Dan Langille wrote: > Whereas, I run acme.sh on a daily basis. My goal: renew certificates at their earliest possibility. This gives me the maximum time to fix any issues. > > I combine the above with monitoring to raise alerts if any tickets have less than 28 days left before they expire. Same here: Nagios will alert me in case acme.sh is not doing its job (daily), although this has almost never happened. bye av. From owner-freebsd-security@freebsd.org Mon Sep 9 12:36:52 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 096A1D1154 for ; Mon, 9 Sep 2019 12:36:52 +0000 (UTC) (envelope-from dan@langille.org) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46RnjH2qhwz3wh7 for ; Mon, 9 Sep 2019 12:36:51 +0000 (UTC) (envelope-from dan@langille.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id B741C21BBE; Mon, 9 Sep 2019 08:36:50 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Mon, 09 Sep 2019 08:36:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h= from:message-id:content-type:mime-version:subject:date :in-reply-to:cc:to:references; s=fm2; bh=y6CsT21onhMcLZbQYcSG92q BDEChIUcxmfRxfapdDUo=; b=AIZ4iAzUmnt6SSSnWj28+D1Jl/AlejV66V81xBA XYSna4ffiwawnDujU8kUTkFF/bp437sRIoVjbibi2eTCj9ZIg5D11FllHqmpdsZL nQ2oDAG1QePvKnIW1lrzsW7S071U6jM3sqFG7Vc7wtfLKwuUWJlgy2LABoaGTvNB P7vktwQh38dlQ5taEpAWDoOmGmg4lQMHOpLLIuT2vtaG5QpSXTAIHF1AP8uXKFMm pp0XmvOIirzPG3kKNZhmIPSBUsliQ7wg1FvYsClZKqGRCdzHagc2JSblEnpTDpGl D+iZwFbZJVy+JuUsxr3By4jML6s9rStNszmwqfxakw+hU0w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=y6CsT2 1onhMcLZbQYcSG92qBDEChIUcxmfRxfapdDUo=; b=Eg1O5nTJAn96F49pR9Z3jv j2qT2usNAu5ey4bOy3x/Bi//Qn2tboxrJplVg7gVLvg+Fh9z5Nd64HZwxnOVoGG8 2MYa8t3+mD5UPyLKvnHrI4Mz3gWY/e5CTT912vFyFiZqBc+mucjutOHfLuEAQReS Gt7jhXsERnhE5sPmRdHSjkuBnjBxV0q/SYe03exj4e+alzuHMO2l43It04jMMxIA CINZvngNtJIxIPlB+ZqlpEZZPaPvF1OSaQUWFyz2zQwvFJ1Ur5zwCXRJ2ewjH0Em LCo2RmtGuJfX+rROwul54ecGbd1d+DRPdeXDF6uqeoz+hZ7vDRtb4woTUrD5h6AQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrudekiedgheefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhkfgtggfuffgjvfhfofesrgdtmh erhhdtjeenucfhrhhomhepffgrnhcunfgrnhhgihhllhgvuceouggrnheslhgrnhhgihhl lhgvrdhorhhgqeenucffohhmrghinheplhgrnhhgihhllhgvrdhorhhgpdhgihhthhhusg drtghomhdpfhhrvghshhhpohhrthhsrdhorhhgnecukfhppedutddtrddugedrvddtgedr feefnecurfgrrhgrmhepmhgrihhlfhhrohhmpegurghnsehlrghnghhilhhlvgdrohhrgh enucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from pro02.int.unixathome.org (pool-100-14-204-33.phlapa.fios.verizon.net [100.14.204.33]) by mail.messagingengine.com (Postfix) with ESMTPA id 5A7B5D60067; Mon, 9 Sep 2019 08:36:50 -0400 (EDT) From: Dan Langille Message-Id: <570B03B2-AAE8-4C1E-A853-5CC481FBF887@langille.org> Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: Let's Encrypt Date: Mon, 9 Sep 2019 08:36:49 -0400 In-Reply-To: <4fd6edce-5180-aab4-e265-bf30841d2065@netfence.it> Cc: freebsd-security@freebsd.org To: Andrea Venturoli References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <4fd6edce-5180-aab4-e265-bf30841d2065@netfence.it> X-Mailer: Apple Mail (2.3445.104.11) X-Rspamd-Queue-Id: 46RnjH2qhwz3wh7 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=langille.org header.s=fm2 header.b=AIZ4iAzU; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=Eg1O5nTJ; dmarc=pass (policy=none) header.from=langille.org; spf=pass (mx1.freebsd.org: domain of dan@langille.org designates 66.111.4.25 as permitted sender) smtp.mailfrom=dan@langille.org X-Spamd-Result: default: False [-5.06 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[langille.org:s=fm2,messagingengine.com:s=fm3]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.25]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; URI_COUNT_ODD(1.00)[15]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[langille.org:+,messagingengine.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[langille.org,none]; IP_SCORE(-3.46)[ip: (-9.74), ipnet: 66.111.4.0/24(-4.84), asn: 11403(-2.68), country: US(-0.05)]; RCVD_IN_DNSWL_LOW(-0.10)[25.4.111.66.list.dnswl.org : 127.0.5.1]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; MID_RHS_MATCH_FROM(0.00)[] Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Sep 2019 12:36:52 -0000 > On Sep 9, 2019, at 8:30 AM, Andrea Venturoli wrote: >=20 > On 2019-09-09 14:26, Dan Langille wrote: >=20 >> Whereas, I run acme.sh on a daily basis. My goal: renew certificates = at their earliest possibility. This gives me the maximum time to fix any = issues. >> I combine the above with monitoring to raise alerts if any tickets = have less than 28 days left before they expire. >=20 > Same here: Nagios will alert me in case acme.sh is not doing its job = (daily), although this has almost never happened. My Nagios alerts are on the certs. It monitors the certs on the = services: e.g. www.freshports.org Those alerts let me know if there are any issues in the cert = distribution chain: my certs are renewed on one host, and then = automagically deployed across multiple servers (and jails on other hosts). I do not have Nagios monitoring day-to-day runs of acme.sh I use the (relatively new) notify feature on acme.sh to tell me if there = were any errors during the renewal process: https://github.com/Neilpang/acme.sh/wiki/notify = Some might think: that's not good enough. What if cert fails to run and = the certs don't get renewed in time? Monitoring of the deployed scripts will let me know of that. Certs are = renewed with 30 days remaining. Alerts trigger at 28-days. That is enough time to fix anything broken. =E2=80=94=20 Dan Langille http://langille.org/ From owner-freebsd-security@freebsd.org Mon Sep 9 14:04:03 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 71869D350C for ; Mon, 9 Sep 2019 14:04:03 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (net-2-44-121-52.cust.vodafonedsl.it [2.44.121.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mailserver.netfence.it", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46Rqdt4l9nz41t8 for ; Mon, 9 Sep 2019 14:04:02 +0000 (UTC) (envelope-from ml@netfence.it) Received: from alamar.ventu (alamar.local.netfence.it [10.1.2.18]) (authenticated bits=0) by soth.netfence.it (8.15.2/8.15.2) with ESMTPSA id x89E3vIV078040 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 9 Sep 2019 16:03:59 +0200 (CEST) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host alamar.local.netfence.it [10.1.2.18] claimed to be alamar.ventu Subject: Re: Let's Encrypt To: Dan Langille Cc: freebsd-security@freebsd.org References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <4fd6edce-5180-aab4-e265-bf30841d2065@netfence.it> <570B03B2-AAE8-4C1E-A853-5CC481FBF887@langille.org> From: Andrea Venturoli Message-ID: Date: Mon, 9 Sep 2019 16:03:57 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.1.0 MIME-Version: 1.0 In-Reply-To: <570B03B2-AAE8-4C1E-A853-5CC481FBF887@langille.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 46Rqdt4l9nz41t8 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of ml@netfence.it has no SPF policy when checking 2.44.121.52) smtp.mailfrom=ml@netfence.it X-Spamd-Result: default: False [-2.84 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; IP_SCORE(-1.74)[ip: (-5.65), ipnet: 2.44.0.0/16(-2.83), asn: 30722(-0.28), country: IT(0.03)]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; DMARC_NA(0.00)[netfence.it]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:30722, ipnet:2.44.0.0/16, country:IT]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Sep 2019 14:04:03 -0000 On 2019-09-09 14:36, Dan Langille wrote: > My Nagios alerts are on the certs.  It monitors the certs on the > services: e.g. www.freshports.org Sure. Probably I wasn't clear: Nagios looks at the certificates in my case too. From owner-freebsd-security@freebsd.org Tue Sep 10 00:52:40 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 10363E6CCC for ; Tue, 10 Sep 2019 00:52:40 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46S62H1s3qz4rpv for ; Tue, 10 Sep 2019 00:52:39 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=/mngq1bpvmCacRUx925IDtOwn/zi9zzcq2Yl/eIxPQo=; b=jQDInR0peoZ8ezlES/gIoBNom9 w65obl5nzRBuuDg1t0+QJqc6KEmKg4SvQkSrEBMjou5e+tH4mmLXirpzfXtz6UUeLbFR828y2kadc e3AubIf5LjeXcAGfJMjaQQk6C7vh9uR+2b0MScFS8HXAY6q02al591+wKUNeg5UT41YQ=; Received: from vas by admin.sibptus.ru with local (Exim 4.92.2 (FreeBSD)) (envelope-from ) id 1i7UOV-00061y-VE for freebsd-security@freebsd.org; Tue, 10 Sep 2019 07:52:31 +0700 Date: Tue, 10 Sep 2019 07:52:31 +0700 From: Victor Sudakov To: freebsd-security@freebsd.org Subject: Re: Let's Encrypt Message-ID: <20190910005231.GA23163@admin.sibptus.ru> References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="rwEMma7ioTxnRzrJ" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.12.1 (2019-06-15) Sender: Victor Sudakov X-Rspamd-Queue-Id: 46S62H1s3qz4rpv X-Spamd-Bar: ------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=jQDInR0p; dmarc=none; spf=pass (mx1.freebsd.org: domain of vas@mpeks.tomsk.su designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@mpeks.tomsk.su X-Spamd-Result: default: False [-7.66 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[tomsk.su]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE(-3.06)[ip: (-9.61), ipnet: 2001:19f0:5000::/38(-4.80), asn: 20473(-0.81), country: US(-0.05)]; DKIM_TRACE(0.00)[sibptus.ru:+]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Sep 2019 00:52:40 -0000 --rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Trond Endrest=F8l wrote: >=20 > #minute hour mday month wday who command >=20 > 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" = --post-hook "service apache24 start" > 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop"= --post-hook "service apache24 start" Is it safe to run certbot as root?=20 --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --rwEMma7ioTxnRzrJ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJddvPPAAoJEA2k8lmbXsY0CfQH/2VHt+a6wOhYG07XFWDJR2Ki M+9D8dNQI2uWiDU9x/CHk3duGtvpovZyaTgJ0pWZZlKVl5rryAAmChuCXEuAzFRr FP7Qb6UFbmQybY+t4mQzynkeNnEQeF3cyhy/tevnLPTOz1GtPBmjJwNDohLEETYQ /iYEJtjcx8DQMHejsOFr6hO5o9QIY9fKKrzaugaRfN6GnNKLFOdDd2pl9yM1w4ED q0/+6Do43aIG9Vb/tuPAQO18yFa+KO3TMgQvZ9+FJBP+zfnKKVtPb7nNHyq9xTJg JNHt0qksvVDXlt8rNZYSX+OXC0Je9TBuFb/6l+zW86JOgXJ/cdb+sZp7QOXKYcE= =9ydb -----END PGP SIGNATURE----- --rwEMma7ioTxnRzrJ-- From owner-freebsd-security@freebsd.org Tue Sep 10 01:10:41 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C68E3E722E for ; Tue, 10 Sep 2019 01:10:41 +0000 (UTC) (envelope-from m@micheas.net) Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46S6R46bNpz4sTf for ; Tue, 10 Sep 2019 01:10:40 +0000 (UTC) (envelope-from m@micheas.net) Received: by mail-ed1-x536.google.com with SMTP id y91so15186852ede.9 for ; Mon, 09 Sep 2019 18:10:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=micheas-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=joUC/+g+wHEEoEX6jS3TjkSK6LsFXYA6kQ/y0L9EGX4=; b=ZX8LzekMWjiGXGra864S6sMDVmsBqkPBfVziJRCUKEjka4KxbXkI1Ls1xLz9rjkahX GD7AoT8zBoZWgNiAc23ATUjRDCETnr7+KVIO8s8R5dA9Y2V/XRCozMEzzbJkUA/DYvPl v6DVpQeqB6tUa0PSi4N6MqUnh3un8VFTzL+BGK6nTcvtKtrZai7YmmsmKt0kqcT+dTB4 Tc4Y87kh1PzEMZDOk0xvcCkoXumP8Y/OtF9mW5XeJDCwgANY8q9zuGAZYamVMN/iw8To XHjGJJVgZ8qjNdp7XGPGQVNKfCLq9OPLkdxV35v6a01tNiJL1aN9qcZEAw15sdLGoz+6 daNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=joUC/+g+wHEEoEX6jS3TjkSK6LsFXYA6kQ/y0L9EGX4=; b=J5Bbf7xYqNqmbAMXb9vvUJr/bHlDtMtyUyfr7kp18RTtE2Timf2fUk3exeTnPXpFUp PTNXNhEhUKdpvE1FfPIVpuFbZRsmfwVTco1OrGQYd+/lOF4FD2snYcqFUjGCiUMcF1ss 2otlRnt9SAX0cDcZWizg9tVD+SLxlfo8k8EjwDrEM9Weirt+mrXDIgdQqMnTceVWdFEL 4f/kVM1tWoMzs6vriGALjkqPyDFv97zfdQpceV+OcqJMcoLwB2aYXtUjRo4Vx77zi9wn MFXWIRe9mFyiBOjmLDvWGqhj5/LDMkytg+RtAxK7gGthzZ6xhwgM2ael9bY8D9Vde6lX QSfQ== X-Gm-Message-State: APjAAAWz+YiFBxnaDYSg9YqYkfRGwFXDOuUMSjQyY+iaHYfJGiD0UQ3f eQ/mtKr5EtQDQsl1uq909X0oShgFLqpHzswwyoLVSw== X-Google-Smtp-Source: APXvYqxYiFlCjIn78wb24y0H7xX0L47YxC0IIxgOFUqCpEF01RmOoGK5q9bj5jL4W6JrgYXpX3UIAJFaBROzXcHG+Ig= X-Received: by 2002:a17:906:bb0f:: with SMTP id jz15mr21674174ejb.264.1568077838628; Mon, 09 Sep 2019 18:10:38 -0700 (PDT) MIME-Version: 1.0 References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <20190910005231.GA23163@admin.sibptus.ru> In-Reply-To: <20190910005231.GA23163@admin.sibptus.ru> From: Micheas Herman Date: Mon, 9 Sep 2019 18:10:26 -0700 Message-ID: Subject: Re: Let's Encrypt To: Victor Sudakov Cc: freebsd-security@freebsd.org X-Rspamd-Queue-Id: 46S6R46bNpz4sTf X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=micheas-net.20150623.gappssmtp.com header.s=20150623 header.b=ZX8LzekM; dmarc=none; spf=none (mx1.freebsd.org: domain of m@micheas.net has no SPF policy when checking 2a00:1450:4864:20::536) smtp.mailfrom=m@micheas.net X-Spamd-Result: default: False [-4.26 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[micheas-net.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[micheas.net]; URI_COUNT_ODD(1.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[micheas-net.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[6.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-2.96)[ip: (-9.54), ipnet: 2a00:1450::/32(-2.97), asn: 15169(-2.26), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Sep 2019 01:10:41 -0000 You would ideally create a certbot user that has just the permissions it needs. It has a fairly decent security history. So it's probably not the worst to run as root in a limited manner. On Mon, Sep 9, 2019, 5:52 PM Victor Sudakov wrote: > Trond Endrest=C3=B8l wrote: > > > > #minute hour mday month wday who command > > > > 52 4 1 * * root certbot renew --quiet > --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > 52 1 15 * * root certbot renew --quiet > --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > Is it safe to run certbot as root? > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > 2:5005/49@fidonet http://vas.tomsk.ru/ > From owner-freebsd-security@freebsd.org Tue Sep 10 08:08:48 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C439FF66EF for ; Tue, 10 Sep 2019 08:08:48 +0000 (UTC) (envelope-from trond.endrestol@ximalas.info) Received: from enterprise.ximalas.info (enterprise.ximalas.info [IPv6:2001:700:1100:1::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ximalas.info", Issuer "Hostmaster ximalas.info" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 46SHjW3Lt1z46x5 for ; Tue, 10 Sep 2019 08:08:47 +0000 (UTC) (envelope-from trond.endrestol@ximalas.info) Received: from enterprise.ximalas.info (Ximalas@localhost [127.0.0.1]) by enterprise.ximalas.info (8.15.2/8.15.2) with ESMTPS id x8A88dRB068410 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Tue, 10 Sep 2019 10:08:39 +0200 (CEST) (envelope-from trond.endrestol@ximalas.info) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ximalas.info; s=default; t=1568102919; bh=M9+nRFwnMrKk4QlPWTKo/5fhhEfPWP8L8o9RdOX8NNE=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=n1r177NCecka56oFIO41obKomhJM2fdPxxxAAL9p3Oi7TgscIcU4nyyvDnMkhWjGb AvXPfva0m/vwgc7aRJ5re292Aljc8/N8Ma/GTKjlypqbq9D5vh7RuiBdexYwJYGBEH IxmPxa5pIjFzlS7dAjGj1kmMCUYs2QzRSK/3BIEElzbjFmg7zOs3rFYCk9607cdUKG WFHr01c8m2B9YXrc6vVJ9CUClgmP0ZJcWG0IBJxXeJe1nL7bU8SzqlZQDVvmVV6NG9 W6YRSizJdrnvTJJfL+xL5kMXzpFjYOfZW2SmgUeWkMzm7nSCCIMbdgSy2wP0bHSDVk sQFtzASAr5KyA== Received: from localhost (trond@localhost) by enterprise.ximalas.info (8.15.2/8.15.2/Submit) with ESMTP id x8A88d4p068407; Tue, 10 Sep 2019 10:08:39 +0200 (CEST) (envelope-from trond.endrestol@ximalas.info) X-Authentication-Warning: enterprise.ximalas.info: trond owned process doing -bs Date: Tue, 10 Sep 2019 10:08:39 +0200 (CEST) From: =?UTF-8?Q?Trond_Endrest=C3=B8l?= Sender: Trond.Endrestol@ximalas.info To: Victor Sudakov cc: freebsd-security@freebsd.org Subject: Re: Let's Encrypt In-Reply-To: <20190910005231.GA23163@admin.sibptus.ru> Message-ID: References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <20190910005231.GA23163@admin.sibptus.ru> User-Agent: Alpine 2.21.99999 (BSF 352 2019-06-22) OpenPGP: url=http://ximalas.info/about/tronds-openpgp-public-key MIME-Version: 1.0 X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on enterprise.ximalas.info X-Rspamd-Queue-Id: 46SHjW3Lt1z46x5 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ximalas.info header.s=default header.b=n1r177NC; dmarc=pass (policy=none) header.from=ximalas.info; spf=pass (mx1.freebsd.org: domain of trond.endrestol@ximalas.info designates 2001:700:1100:1::8 as permitted sender) smtp.mailfrom=trond.endrestol@ximalas.info X-Spamd-Result: default: False [-3.63 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[ximalas.info:s=default]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a:c]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/mixed,text/plain]; HAS_XAW(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[ximalas.info:+]; CTYPE_MIXED_BOGUS(1.00)[]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[ximalas.info,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:224, ipnet:2001:700::/32, country:NO]; IP_SCORE(-1.63)[ip: (-6.98), ipnet: 2001:700::/32(-0.66), asn: 224(-0.49), country: NO(-0.01)] Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Sep 2019 08:08:48 -0000 On Tue, 10 Sep 2019 07:52+0700, Victor Sudakov wrote: > Trond Endrestøl wrote: > > > > #minute hour mday month wday who command > > > > 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > Is it safe to run certbot as root? It needs access to TCP port 443 to run some checks. Hence the need to stop and start apache or you other regular webserver. -- Trond. From owner-freebsd-security@freebsd.org Tue Sep 10 09:20:11 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6C12BD0DFD for ; Tue, 10 Sep 2019 09:20:11 +0000 (UTC) (envelope-from SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46SKHt3s5Tz4DCP for ; Tue, 10 Sep 2019 09:20:10 +0000 (UTC) (envelope-from SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id BEF4B28423; Tue, 10 Sep 2019 11:20:07 +0200 (CEST) Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz [62.24.92.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 9382128422; Tue, 10 Sep 2019 11:20:06 +0200 (CEST) Subject: Re: Let's Encrypt To: Victor Sudakov , freebsd-security@freebsd.org References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <20190910005231.GA23163@admin.sibptus.ru> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <549e2c7a-8222-7ae0-e6bc-233ae65d5a60@quip.cz> Date: Tue, 10 Sep 2019 11:20:05 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <20190910005231.GA23163@admin.sibptus.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 46SKHt3s5Tz4DCP X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz X-Spamd-Result: default: False [3.93 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; IP_SCORE(0.92)[ip: (0.48), ipnet: 94.124.104.0/21(0.24), asn: 42000(3.80), country: CZ(0.07)]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.81)[0.813,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; NEURAL_SPAM_LONG(1.00)[0.996,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=C8N2=XF=quip.cz=000.fbsd@elsa.codelab.cz]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Sep 2019 09:20:11 -0000 Victor Sudakov wrote on 2019/09/10 02:52: > Trond Endrestøl wrote: >> >> #minute hour mday month wday who command >> >> 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" >> 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop" --post-hook "service apache24 start" > > Is it safe to run certbot as root? I cannot recommend to run things like this as root. I am using acme.sh running as unprivileged user and only the deployment of the new / renewed key is run as root through sudo. I don't know certbot well, acme.sh allows to use shell scripts as hooks for actions like deployment so it was really simple to separate cert signing and deployment of new cert. Kind regards Miroslav Lachman From owner-freebsd-security@freebsd.org Wed Sep 11 04:33:49 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 52E94EE260 for ; Wed, 11 Sep 2019 04:33:49 +0000 (UTC) (envelope-from orjan@tonder.org) Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46Spv02S3tz4Q4N for ; Wed, 11 Sep 2019 04:33:48 +0000 (UTC) (envelope-from orjan@tonder.org) Received: by mail-ed1-x534.google.com with SMTP id v38so19343375edm.7 for ; Tue, 10 Sep 2019 21:33:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tonder-org.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=FOE8D0VgZkRG3kx+Kv/WhCsfsPmUKQSKtkGW30NkEio=; b=Fyfw4q0w+VY+q08j9zX6nvlhPOjSWvt5Tm8SFl7iu8fOy5vG5B8XyFAzvW0Bt0tNpW tI3TaT3ILPJhlEdSpXeqE/p8BRBDpDiKO8RUMYhfjWRBcMD3h11RGMIsY/Odc0wVsN7U Hp2KYEJVdl65AiW+QSf2do96tSM3X5FNQ4c28O0OlTMjER3ca9hyz/v5QXQt/8zHvGTP yQKpdxG1uq1VxrvhZmI0N7qRP87WcC3aEOMdyzw4NdIFR2RFt6krdv3uMSRaizTv5Tk9 4bp/pwiSZEXgMBTGz0ODHNd4WiegPjSE2UYuBve5Lcd7nQK7Z95yoRLypOT6LVWqfP7b +NzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=FOE8D0VgZkRG3kx+Kv/WhCsfsPmUKQSKtkGW30NkEio=; b=bVmPllkaEV78O+yaABWBS/UhNMjWY+TWV5MKoNr5WUAXZDto6HDD7JkFe1saD26nJ+ kMHNiC2SNMfYgc6kPKcRcaK7FktUbFUR3pQfd3hyr0D1y+aDOliMIVQOV5r3G5J2DBxs LRm/fCj0vKJyNO0ha3sZ40qTH0eTLqpAK9vMw8EXb+eHh37gX/iOt2LvZ/g7QC+EpUOA QgQu6DUyCLhqpV7aIvygiqWWIIcPDY5ND0fg/dgpOBJgFJx2tLdDbbf/B+LraAcAaxvW jHIQGnCV2qSMMR7GRkqpeG7dl/yKQDPhDnqkzDcQ8Qtfu9qind0mAiVJG7Nf0xN3IfVi EtSA== X-Gm-Message-State: APjAAAWqWh9kUe+eeB68riSPm5FvREjlVNggclfzLy3Tx63smEYH9gLx pq+YPecYe0DPkDnv/EeWsw8oJr8bC3l2PYtNNHB1nQCX X-Google-Smtp-Source: APXvYqyOaoCN+adLBK0xspNMhjtZLfJ1VTinoEPP0AYCVIpbNKw1zzoRq7JO4qkCiynY4bPklBUl+VlB3i22L6syA0o= X-Received: by 2002:a17:906:944c:: with SMTP id z12mr27928228ejx.223.1568176426676; Tue, 10 Sep 2019 21:33:46 -0700 (PDT) MIME-Version: 1.0 From: =?UTF-8?B?w5hyamFuIFTDuG5kZXI=?= Date: Wed, 11 Sep 2019 06:33:34 +0200 Message-ID: Subject: DDIO on Intel leaks ssh sessions To: freebsd-security@freebsd.org X-Rspamd-Queue-Id: 46Spv02S3tz4Q4N X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tonder-org.20150623.gappssmtp.com header.s=20150623 header.b=Fyfw4q0w; dmarc=none; spf=none (mx1.freebsd.org: domain of orjan@tonder.org has no SPF policy when checking 2a00:1450:4864:20::534) smtp.mailfrom=orjan@tonder.org X-Spamd-Result: default: False [-4.27 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[tonder-org.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; URI_COUNT_ODD(1.00)[3]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[tonder.org]; DKIM_TRACE(0.00)[tonder-org.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[4.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-2.97)[ip: (-9.57), ipnet: 2a00:1450::/32(-2.96), asn: 15169(-2.26), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Sep 2019 04:33:49 -0000 Just came over this one https://www.vusec.net/projects/netcat/