Date: Tue, 22 Oct 2019 09:39:34 +0200 From: adrian.van.de.ven@sentia.com To: Leif Pedersen <leif@ofwilsoncreek.com>, Garrett Wollman <wollman@bimajority.org> Cc: freebsd-security@freebsd.org, Victor Sudakov <vas@mpeks.tomsk.su> Subject: Re: Let's Encrypt Message-ID: <e7347264-4003-7474-9eb4-9109afcb62bd@sentia.com> In-Reply-To: <CAK-wPOge8ZWABittkOWkwww7YX2xUAkypzw0sF4-kHXP5Fc0Sw@mail.gmail.com> References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info> <20190910005231.GA23163@admin.sibptus.ru> <23927.10.5222.629103@hergotha.csail.mit.edu> <CAK-wPOge8ZWABittkOWkwww7YX2xUAkypzw0sF4-kHXP5Fc0Sw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 13/10/2019 19:52, Leif Pedersen wrote: > On Sat, Oct 12, 2019 at 6:28 PM Garrett Wollman <wollman@bimajority.org> > wrote: > >> <<On Tue, 10 Sep 2019 07:52:31 +0700, Victor Sudakov <vas@mpeks.tomsk.su> >> said: >> >>> Trond Endrestøl wrote: >>>> #minute hour mday month wday who command >>>> >>>> 52 4 1 * * root certbot renew --quiet >> --pre-hook "service apache24 stop" --post-hook "service apache24 start" >>>> 52 1 15 * * root certbot renew --quiet >> --pre-hook "service apache24 stop" --post-hook "service apache24 start" >> >>> Is it safe to run certbot as root? >> I can't speak to certbot (I currently use acmetool) but in general, >> the thing that certbot does requires the ability to signal whatever >> process is using the certificates, which is normally going to be a web >> server but might be a mail server, name server, RADIUS server, or some >> other application -- as shown in the example above. So if you don't >> run it as root (probably smart) you'll need to find another way to >> tell the TLS server application to reload its certificates when >> needed. >> >> -GAWollman >> > A good point. One option might be to run two cron jobs. One job would run > certbot as an unprivileged user, and the other would run "service apache24 > restart" as root an hour or so later. (Or maybe reload is enough.) > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" Or something like this. Check if there are new certs and if so do something with them: #!/usr/local/bin/bash if [[ -n $(/usr/bin/find /usr/local/etc/dehydrated/rsa/ -mtime -1h -type f) ]] then /usr/bin/awk '{print $1}' /usr/local/etc/dehydrated/domains.txt | \ while read a ; \ do # Copy certs for HAproxy /bin/cat /usr/local/etc/dehydrated/rsa/"$a"/cert.pem \ /usr/local/etc/dehydrated/rsa/"$a"/privkey.pem \ /usr/local/etc/dehydrated/rsa/"$a"/chain.pem \ /usr/local/etc/ssl/dhparams.pem > \ /usr/local/etc/ssl/haproxy/"$a".pem.rsa /bin/chmod 600 /usr/local/etc/ssl/haproxy/"$a".pem.rsa /bin/cp /usr/local/etc/dehydrated/rsa/"$a"/chain.pem /usr/local/etc/ssl/haproxy/"$a".pem.rsa.issuer # Copy certs for HAproxy, this time the ECDSA stuff /bin/cat /usr/local/etc/dehydrated/ecdsa/"$a"/cert.pem \ /usr/local/etc/dehydrated/ecdsa/"$a"/privkey.pem \ /usr/local/etc/dehydrated/ecdsa/"$a"/chain.pem \ /usr/local/etc/ssl/dhparams.pem > \ /usr/local/etc/ssl/haproxy/"$a".pem.ecdsa /bin/chmod 600 /usr/local/etc/ssl/haproxy/"$a".pem.ecdsa /bin/cp /usr/local/etc/dehydrated/ecdsa/"$a"/chain.pem /usr/local/etc/ssl/haproxy/"$a".pem.ecdsa.issuer done # Some standard stuff for configs with fixed cert names /bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/cert.pem /usr/local/etc/ssl/syslog-ng/ /bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/privkey.pem /usr/local/etc/ssl/syslog-ng/ /bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/fullchain.pem /usr/local/etc/ssl/syslog-ng/ /bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/chain.pem /usr/local/etc/ssl/syslog-ng/ /usr/local/bin/c_rehash /usr/local/etc/ssl/syslog-ng/ # Restart services /usr/bin/killall haproxy /usr/local/etc/rc.d/haproxy restart /usr/local/etc/rc.d/syslog-ng restart /usr/local/etc/rc.d/postfix restart fi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e7347264-4003-7474-9eb4-9109afcb62bd>