From owner-freebsd-questions@freebsd.org Wed May 24 18:45:12 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 858B9D7C37A for ; Wed, 24 May 2017 18:45:12 +0000 (UTC) (envelope-from jim@mailman-hosting.com) Received: from maurice.jlkmail.com (maurice.jlkmail.com [23.111.151.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4B10610A8 for ; Wed, 24 May 2017 18:45:11 +0000 (UTC) (envelope-from jim@mailman-hosting.com) Received: from maurice.jlkmail.com (localhost [127.0.0.1]) by maurice.jlkmail.com (Postfix) with ESMTP id 7DFEC18808A8 for ; Wed, 24 May 2017 14:45:05 -0400 (EDT) Authentication-Results: maurice.jlkmail.com (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=mailman-hosting.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= mailman-hosting.com; h=content-transfer-encoding :content-language:content-type:content-type:in-reply-to :mime-version:user-agent:date:date:message-id:references:to:from :from:subject:subject; s=dkim; t=1495651500; x=1496515501; bh=s8 49o6KdgObTxsC7k4kWKmaKt0g1JFsHgq71p0JUcD8=; b=C01Ooe3zrkPO8cXOT2 JUtcekI0RjSjBsJZHaHMj3su3PLuENUptkwItCigAXUlNRfW2HraMcuTd+Ptu4Dn 29imsSnLx+2W9euRSH38hnnL8Ji7IsuBi0m1339yo9k5aRcqXKt0+jdnOQIO57a7 FLo9l50/Qw/VSHO8NmjB1K8oY= X-Virus-Scanned: Debian amavisd-new at maurice.jlkmail.com X-Spam-Flag: NO X-Spam-Score: -0.999 X-Spam-Level: X-Spam-Status: No, score=-0.999 tagged_above=-9999 required=6.31 tests=[ALL_TRUSTED=-1, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from maurice.jlkmail.com ([127.0.0.1]) by maurice.jlkmail.com (maurice.jlkmail.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id nsm2K_ZhV3Yz for ; Wed, 24 May 2017 14:45:00 -0400 (EDT) Received: from [192.168.1.153] (static-70-104-198-154.nrflva.fios.verizon.net [70.104.198.154]) by maurice.jlkmail.com (Postfix) with ESMTPSA id 0D7CE1880836; Wed, 24 May 2017 14:44:59 -0400 (EDT) Subject: Re: Acme client not updating keys automatically From: Jim Ohlstein To: David Mehler , freebsd-questions , Frank Shute References: <20170524155647.GE1232@lime.woodcruft.co.uk> <2f52e790-3eff-3ca0-46c0-4336b8e38046@mailman-hosting.com> Message-ID: <37e1e540-dd11-8f86-9b17-3a4f31ed530b@mailman-hosting.com> Date: Wed, 24 May 2017 14:44:59 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: <2f52e790-3eff-3ca0-46c0-4336b8e38046@mailman-hosting.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2017 18:45:12 -0000 Hello, On 05/24/2017 02:31 PM, Jim Ohlstein wrote: > Hello, > > On 05/24/2017 11:56 AM, Frank Shute wrote: >> On Tue, May 23, 2017 at 08:23:24AM -0400, David Mehler wrote: >>> >>> Hello, >>> >>> I've got a Freebsd 10.3 system running several ssl-enabled web >>> servers. I've got letsencrypt keys for all of them. I'm using >>> py27-certbot (am not stuck on it so if there's an alternative), and >>> have a cron job set to check keys and update them by doing a certbot >>> renew. >>> >>> I thought something was wrong when I kept getting key expirey notices >>> from letsencrypt, then I checked a site and got a key has expired >>> message. >>> >>> Suggestions welcome. >>> >>> Thanks. >>> Dave. >> >> Hi Dave, >> >> >> I'll venture forth an opinion that is maybe a bit controversial. >> >> The certbot written in python 2.7, as recommended by Letsencrypt, is a >> bit >> crap IMHO. > > Not tryinh to start a fight (Honets!), but I'm curious as to how you > arrived at that opinion. Code analysis, use for purpose, or just a > general opinion of Python kiddie coders? > > I ask because I use it, and it suits my purpose just fine. Of course I > use a few domain/multi-subdomain certs, and I simply force renew them > manually the first week of every other month. Doesn't take more than a > few minutes for the whole process inclusing reloading nginx, Postfix, > Dovecot, etc. Only glitch was recently when one dependency got ahead of > py-certbot. A suitable patch was available within a day or so. > >> >> It's possibly fine if you're running a vanilla LAMP stack but start doing >> such things as s/Linux/FreeBSD/ and s/Apache/Nginx/ and you rapidly >> end up >> in trouble. >> >> My preference is either for acme.sh: >> >> https://github.com/Neilpang/acme.sh >> >> which is an acme client written in portable (POSIX) shell. >> >> Or: security/acme-client in ports which is written in C by a BSD bloke. > > I didn't realize that existed. Thanks! Add: it has a build dependency on libressl, which apparently makes it a non-starter for portmaster and portupgrade users who rely on the openssl port. It works fine with poudriere, and probably also with synth. > >> >> In my experience, the problem with software written in Python is that >> because the barrier to entry is so low, is that even a mouth-breathing, >> window-licking, know-nothing moron can write Python...and sure as shit, >> they invariably do. > > Tell us how you really feel. ;) > >> >> To be fair, I think a lot of that type are now picking up on >> Javascript and >> it's bastard brethren. We've already seen a text editor written in it and >> I feel it can be only a matter of time before they set their sights on a >> RTOS...for suitably low values of "real time". >> >> >> Regards, >> > -- Jim Ohlstein Professional Mailman Hosting https://mailman-hosting.com/