Date: Wed, 24 May 2017 14:44:59 -0400 From: Jim Ohlstein <jim@mailman-hosting.com> To: David Mehler <dave.mehler@gmail.com>, freebsd-questions <freebsd-questions@freebsd.org>, Frank Shute <frank@woodcruft.co.uk> Subject: Re: Acme client not updating keys automatically Message-ID: <37e1e540-dd11-8f86-9b17-3a4f31ed530b@mailman-hosting.com> In-Reply-To: <2f52e790-3eff-3ca0-46c0-4336b8e38046@mailman-hosting.com> References: <CAPORhP4bS3HkE7q9vPriSusZvxC5YFAd5U8jEyA0x6cA1qucZQ@mail.gmail.com> <20170524155647.GE1232@lime.woodcruft.co.uk> <2f52e790-3eff-3ca0-46c0-4336b8e38046@mailman-hosting.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, On 05/24/2017 02:31 PM, Jim Ohlstein wrote: > Hello, > > On 05/24/2017 11:56 AM, Frank Shute wrote: >> On Tue, May 23, 2017 at 08:23:24AM -0400, David Mehler wrote: >>> >>> Hello, >>> >>> I've got a Freebsd 10.3 system running several ssl-enabled web >>> servers. I've got letsencrypt keys for all of them. I'm using >>> py27-certbot (am not stuck on it so if there's an alternative), and >>> have a cron job set to check keys and update them by doing a certbot >>> renew. >>> >>> I thought something was wrong when I kept getting key expirey notices >>> from letsencrypt, then I checked a site and got a key has expired >>> message. >>> >>> Suggestions welcome. >>> >>> Thanks. >>> Dave. >> >> Hi Dave, >> >> >> I'll venture forth an opinion that is maybe a bit controversial. >> >> The certbot written in python 2.7, as recommended by Letsencrypt, is a >> bit >> crap IMHO. > > Not tryinh to start a fight (Honets!), but I'm curious as to how you > arrived at that opinion. Code analysis, use for purpose, or just a > general opinion of Python kiddie coders? > > I ask because I use it, and it suits my purpose just fine. Of course I > use a few domain/multi-subdomain certs, and I simply force renew them > manually the first week of every other month. Doesn't take more than a > few minutes for the whole process inclusing reloading nginx, Postfix, > Dovecot, etc. Only glitch was recently when one dependency got ahead of > py-certbot. A suitable patch was available within a day or so. > >> >> It's possibly fine if you're running a vanilla LAMP stack but start doing >> such things as s/Linux/FreeBSD/ and s/Apache/Nginx/ and you rapidly >> end up >> in trouble. >> >> My preference is either for acme.sh: >> >> https://github.com/Neilpang/acme.sh >> >> which is an acme client written in portable (POSIX) shell. >> >> Or: security/acme-client in ports which is written in C by a BSD bloke. > > I didn't realize that existed. Thanks! Add: it has a build dependency on libressl, which apparently makes it a non-starter for portmaster and portupgrade users who rely on the openssl port. It works fine with poudriere, and probably also with synth. > >> >> In my experience, the problem with software written in Python is that >> because the barrier to entry is so low, is that even a mouth-breathing, >> window-licking, know-nothing moron can write Python...and sure as shit, >> they invariably do. > > Tell us how you really feel. ;) > >> >> To be fair, I think a lot of that type are now picking up on >> Javascript and >> it's bastard brethren. We've already seen a text editor written in it and >> I feel it can be only a matter of time before they set their sights on a >> RTOS...for suitably low values of "real time". >> >> >> Regards, >> > -- Jim Ohlstein Professional Mailman Hosting https://mailman-hosting.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37e1e540-dd11-8f86-9b17-3a4f31ed530b>