From owner-freebsd-security@freebsd.org  Tue Oct 22 07:39:39 2019
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 039DC152A61
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Tue, 22 Oct 2019 07:39:39 +0000 (UTC)
 (envelope-from adrian.van.de.ven@sentia.com)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com
 [IPv6:2a00:1450:4864:20::433])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46y54T6183z4Qy7
 for <freebsd-security@freebsd.org>; Tue, 22 Oct 2019 07:39:37 +0000 (UTC)
 (envelope-from adrian.van.de.ven@sentia.com)
Received: by mail-wr1-x433.google.com with SMTP id r1so6986194wrs.9
 for <freebsd-security@freebsd.org>; Tue, 22 Oct 2019 00:39:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=sentia-com.20150623.gappssmtp.com; s=20150623;
 h=from:subject:to:cc:references:message-id:date:user-agent
 :mime-version:in-reply-to:content-language;
 bh=z1/+xuGQlK/MxbpTAHNkHRMFJYLKiKMT3SECd/yMKsc=;
 b=VYHKi6SbBOYKBkAETC9REdRwHBBUIR3KjOz/Fp/qrz2lnH5Jrj1dovU1Cbbg5mGDWW
 qLvekvPtyxlqkywYgiU7NlDjXE4H1UVFk3H/KggebngvpfHfpK+3Fr/B5C+K4m55+Qhd
 Yifm4VHUIZvHCS3on3dYPmbK/ZveiPWlmx/0ybxLLJCez3WaN4ZqwGXVsn6XaE6H1zvf
 +EfU9WBWXHVMP5aP1kZNWAOqrArTXqHDMhoFaoac7qoaqppH8s4y8zccEfP/bkq76Egq
 CaaCcZiAX19SLgTDpgQNn2t/o2SerCh8U7uONOFjQXCYyujPWzaFBzaFrWINts6gd2oF
 zrww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:subject:to:cc:references:message-id:date
 :user-agent:mime-version:in-reply-to:content-language;
 bh=z1/+xuGQlK/MxbpTAHNkHRMFJYLKiKMT3SECd/yMKsc=;
 b=bj07RwfRkhD9UPQbTPDESm3YUhnWhGK78j+9DWrFNJ7VQVjSKTaiJLKWDWlTMF0r+x
 fQ3c26owEPG9ShN7tYYoTI1r+NUeowqAvHO+cp7IeyrsVP9ozbQEd984efTc4Cu9MaZZ
 4F6Vejd+KJ49hVO6XF8k88f4Z6KZ29WbknSWPK4SJfgATd72lzXHDzOZv8iJLLd8TqIA
 NAqcp+hqAQ+aZnvXgkMnzoUAAj4MyK0BPJWkI7CRmA3sAo7slb5u7pj/ZW9zBBrOhmfx
 3JvOHcOuVBj8K6dYHRsAw/iYAkRB6i+ckLs63oT5WMrdDwNJRe8HEQQeN5UPHOBbw/43
 hUZQ==
X-Gm-Message-State: APjAAAVdV4pY+gNg98RcL+5xlocp6sSPc2MbtWdld8oBeaA3PvKdLCEE
 r76o5UoQ0yugnl0VOOQZnnMUrEe4lJQ=
X-Google-Smtp-Source: APXvYqyfMvlJhkmiDqta9He+jUIYoWzxFonXd9ho5MKtXyLnteiuyEpEVkQFFF873JmY08TiQtwgOg==
X-Received: by 2002:adf:c641:: with SMTP id u1mr2084222wrg.361.1571729975960; 
 Tue, 22 Oct 2019 00:39:35 -0700 (PDT)
Received: from minos.local (89.20.184.17.static.ef-service.nl. [89.20.184.17])
 by smtp.gmail.com with ESMTPSA id
 q124sm31438793wma.5.2019.10.22.00.39.34
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 22 Oct 2019 00:39:35 -0700 (PDT)
From: adrian.van.de.ven@sentia.com
X-Google-Original-From: bluuurgh@gmail.com
Subject: Re: Let's Encrypt
To: Leif Pedersen <leif@ofwilsoncreek.com>,
 Garrett Wollman <wollman@bimajority.org>
Cc: freebsd-security@freebsd.org, Victor Sudakov <vas@mpeks.tomsk.su>
References: <20190908145835.GA67269@admin.sibptus.ru>
 <20190909090605.GA97856@admin.sibptus.ru>
 <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info>
 <20190910005231.GA23163@admin.sibptus.ru>
 <23927.10.5222.629103@hergotha.csail.mit.edu>
 <CAK-wPOge8ZWABittkOWkwww7YX2xUAkypzw0sF4-kHXP5Fc0Sw@mail.gmail.com>
Message-ID: <e7347264-4003-7474-9eb4-9109afcb62bd@sentia.com>
Date: Tue, 22 Oct 2019 09:39:34 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:60.0)
 Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <CAK-wPOge8ZWABittkOWkwww7YX2xUAkypzw0sF4-kHXP5Fc0Sw@mail.gmail.com>
Content-Language: en-GB
X-Rspamd-Queue-Id: 46y54T6183z4Qy7
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=sentia-com.20150623.gappssmtp.com header.s=20150623
 header.b=VYHKi6Sb; 
 dmarc=pass (policy=none) header.from=sentia.com;
 spf=pass (mx1.freebsd.org: domain of adrian.van.de.ven@sentia.com designates
 2a00:1450:4864:20::433 as permitted sender)
 smtp.mailfrom=adrian.van.de.ven@sentia.com
X-Spamd-Result: default: False [-4.80 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[];
 R_DKIM_ALLOW(-0.20)[sentia-com.20150623.gappssmtp.com:s=20150623];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCPT_COUNT_THREE(0.00)[4];
 TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
 URI_COUNT_ODD(1.00)[3]; RCVD_COUNT_THREE(0.00)[3];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[sentia-com.20150623.gappssmtp.com:+];
 DMARC_POLICY_ALLOW(-0.50)[sentia.com,none];
 RCVD_IN_DNSWL_NONE(0.00)[3.3.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org
 : 127.0.5.0]; FROM_NO_DN(0.00)[]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:~];
 IP_SCORE(-2.81)[ip: (-9.09), ipnet: 2a00:1450::/32(-2.81), asn: 15169(-2.07),
 country: US(-0.05)]; 
 ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]
X-Mailman-Approved-At: Thu, 24 Oct 2019 23:37:40 +0000
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2019 07:39:39 -0000



On 13/10/2019 19:52, Leif Pedersen wrote:
> On Sat, Oct 12, 2019 at 6:28 PM Garrett Wollman <wollman@bimajority.org>
> wrote:
>
>> <<On Tue, 10 Sep 2019 07:52:31 +0700, Victor Sudakov <vas@mpeks.tomsk.su>
>> said:
>>
>>> Trond Endrestøl wrote:
>>>> #minute      hour    mday    month   wday    who     command
>>>>
>>>> 52   4       1       *       *       root    certbot renew --quiet
>> --pre-hook "service apache24 stop" --post-hook "service apache24 start"
>>>> 52   1       15      *       *       root    certbot renew --quiet
>> --pre-hook "service apache24 stop" --post-hook "service apache24 start"
>>
>>> Is it safe to run certbot as root?
>> I can't speak to certbot (I currently use acmetool) but in general,
>> the thing that certbot does requires the ability to signal whatever
>> process is using the certificates, which is normally going to be a web
>> server but might be a mail server, name server, RADIUS server, or some
>> other application -- as shown in the example above.  So if you don't
>> run it as root (probably smart) you'll need to find another way to
>> tell the TLS server application to reload its certificates when
>> needed.
>>
>> -GAWollman
>>
> A good point. One option might be to run two cron jobs. One job would run
> certbot as an unprivileged user, and the other would run "service apache24
> restart" as root an hour or so later. (Or maybe reload is enough.)
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Or something like this. Check if there are new certs and if so do 
something with them:

    #!/usr/local/bin/bash

    if [[ -n $(/usr/bin/find /usr/local/etc/dehydrated/rsa/ -mtime -1h
    -type f) ]]
    then
       /usr/bin/awk '{print $1}' /usr/local/etc/dehydrated/domains.txt | \
       while read a ; \
         do
           # Copy certs for HAproxy
           /bin/cat /usr/local/etc/dehydrated/rsa/"$a"/cert.pem \
           /usr/local/etc/dehydrated/rsa/"$a"/privkey.pem \
           /usr/local/etc/dehydrated/rsa/"$a"/chain.pem \
           /usr/local/etc/ssl/dhparams.pem > \
           /usr/local/etc/ssl/haproxy/"$a".pem.rsa
           /bin/chmod 600 /usr/local/etc/ssl/haproxy/"$a".pem.rsa
           /bin/cp /usr/local/etc/dehydrated/rsa/"$a"/chain.pem
    /usr/local/etc/ssl/haproxy/"$a".pem.rsa.issuer

           # Copy certs for HAproxy, this time the ECDSA stuff
           /bin/cat /usr/local/etc/dehydrated/ecdsa/"$a"/cert.pem \
           /usr/local/etc/dehydrated/ecdsa/"$a"/privkey.pem \
           /usr/local/etc/dehydrated/ecdsa/"$a"/chain.pem \
           /usr/local/etc/ssl/dhparams.pem > \
           /usr/local/etc/ssl/haproxy/"$a".pem.ecdsa
           /bin/chmod 600 /usr/local/etc/ssl/haproxy/"$a".pem.ecdsa
           /bin/cp /usr/local/etc/dehydrated/ecdsa/"$a"/chain.pem
    /usr/local/etc/ssl/haproxy/"$a".pem.ecdsa.issuer
       done

    # Some standard stuff for configs with fixed cert names
       /bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/cert.pem
    /usr/local/etc/ssl/syslog-ng/
       /bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/privkey.pem
    /usr/local/etc/ssl/syslog-ng/
       /bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/fullchain.pem
    /usr/local/etc/ssl/syslog-ng/
       /bin/cp /usr/local/etc/dehydrated/rsa/`hostname`/chain.pem
    /usr/local/etc/ssl/syslog-ng/
       /usr/local/bin/c_rehash /usr/local/etc/ssl/syslog-ng/

    # Restart services
       /usr/bin/killall haproxy
       /usr/local/etc/rc.d/haproxy restart
       /usr/local/etc/rc.d/syslog-ng restart
       /usr/local/etc/rc.d/postfix restart
    fi