From owner-freebsd-questions@freebsd.org Wed May 24 15:56:58 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 40E28D7C035 for ; Wed, 24 May 2017 15:56:58 +0000 (UTC) (envelope-from frank@woodcruft.co.uk) Received: from b-painless.mh.aa.net.uk (b-painless.mh.aa.net.uk [81.187.30.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0A59413E6 for ; Wed, 24 May 2017 15:56:57 +0000 (UTC) (envelope-from frank@woodcruft.co.uk) Received: from woodcruft.co.uk ([81.187.49.114] helo=lime.woodcruft.co.uk) by b-painless.mh.aa.net.uk with esmtp (Exim 4.84_2) (envelope-from ) id 1dDYec-0006BV-M5; Wed, 24 May 2017 16:56:54 +0100 Received: by lime.woodcruft.co.uk (Postfix, from userid 1001) id 0A55321AD3; Wed, 24 May 2017 16:56:48 +0100 (BST) Date: Wed, 24 May 2017 16:56:48 +0100 From: Frank Shute To: David Mehler Cc: freebsd-questions Subject: Re: Acme client not updating keys automatically Message-ID: <20170524155647.GE1232@lime.woodcruft.co.uk> Reply-To: Frank Shute Mail-Followup-To: David Mehler , freebsd-questions References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Face: *}~{PHnDTzvXPe'wl_-f%!@+r5; VLhb':*DsX%wEOPg\fDrXWQJf|2\,92"DdS%63t*BHDyQ|OWo@Gfjcd72eaN!4%NE{0]p)ihQ1MyFNtWL X-Operating-System: FreeBSD 11.0-RELEASE-p1 amd64 X-Organisation: 'woodcruft.co.uk' User-Agent: Mutt/1.7.1 (2016-10-04) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2017 15:56:58 -0000 On Tue, May 23, 2017 at 08:23:24AM -0400, David Mehler wrote: > > Hello, > > I've got a Freebsd 10.3 system running several ssl-enabled web > servers. I've got letsencrypt keys for all of them. I'm using > py27-certbot (am not stuck on it so if there's an alternative), and > have a cron job set to check keys and update them by doing a certbot > renew. > > I thought something was wrong when I kept getting key expirey notices > from letsencrypt, then I checked a site and got a key has expired > message. > > Suggestions welcome. > > Thanks. > Dave. Hi Dave, I'll venture forth an opinion that is maybe a bit controversial. The certbot written in python 2.7, as recommended by Letsencrypt, is a bit crap IMHO. It's possibly fine if you're running a vanilla LAMP stack but start doing such things as s/Linux/FreeBSD/ and s/Apache/Nginx/ and you rapidly end up in trouble. My preference is either for acme.sh: https://github.com/Neilpang/acme.sh which is an acme client written in portable (POSIX) shell. Or: security/acme-client in ports which is written in C by a BSD bloke. In my experience, the problem with software written in Python is that because the barrier to entry is so low, is that even a mouth-breathing, window-licking, know-nothing moron can write Python...and sure as shit, they invariably do. To be fair, I think a lot of that type are now picking up on Javascript and it's bastard brethren. We've already seen a text editor written in it and I feel it can be only a matter of time before they set their sights on a RTOS...for suitably low values of "real time". Regards, -- Frank