Date: Mon, 9 Sep 2019 13:28:57 +0200 From: Vladimir Botka <vbotka@gmail.com> To: Trond =?UTF-8?B?RW5kcmVzdMO4bA==?= <trond.endrestol@ximalas.info> Cc: Victor Sudakov <vas@mpeks.tomsk.su>, freebsd-security@freebsd.org Subject: Re: Let's Encrypt Message-ID: <20190909132857.3059896a@gmail.com> In-Reply-To: <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info> References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/J/2KB2BG_mLclmP5fSkl1Ly Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, 9 Sep 2019 12:12:55 +0200 (CEST) Trond Endrest=C3=B8l <trond.endrestol@ximalas.info> wrote: > On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote: >=20 > > The majority is for py-certbot, so I'll probably use it. Thank you. =20 >=20 > I have found it prudent to run certbot twice a month from cron(8),=20 > just to be safe. >=20 > Last year, I had one case where the certificate expired a few hours=20 > before the next run of certbot. Had I run certbot on the 1st and on=20 > the 15th day of each month, then the certificates would have been=20 > updated ahead of their expiration. >=20 > E.g.: >=20 > #minute hour mday month wday who command >=20 > 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" = --post-hook "service apache24 start" > 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop"= --post-hook "service apache24 start" I believe --dry-run renewal is encouraged. Both for testing on the development side and to be sure all is running well on the user's side. See "Help us test renewal with =E2=80=9Cletsencrypt renew=E2=80=9D https://community.letsencrypt.org/t/help-us-test-renewal-with-letsencrypt-r= enew/10562 Q. What=E2=80=99s the new --dry-run flag? A. The new --dry-run flag for both certonly and renew performs the certificate request(s) against the staging server, which issues test certificates that are not trusted by browsers. This verifies whether you=E2= =80=99re apparently able to get a certificate, in your current configuration, using the method that you specified (for example, if you were using webroot authentication, whether your webroot configuration is capable of being validated by the CA). With --dry-run, the certificates obtained are not actually saved to disk and your configuration is not updated. You can use this to simulate what would apparently happen if you ran the command without --dry-run. FWIW, here is the link to my wrappers for certbot (last update June 2018) https://github.com/vbotka/le-utils For example below is a fragment from crontab. 1) Daily send email with certificates that expire within 30 days. 2) Daily dry-run renew all certificates. 3) Daily renew certificates that expire within 30 days. #Ansible: check expiry of certificates 15 2 * * * /root/bin/leinfo -e --Days=3D30 -a #Ansible: dry-run renewal of certificates 20 2 * * * /root/bin/lectl -s -n -c -a #Ansible: renewal of certificates 20 3 * * * /root/bin/lectl -s -D=3D30 -c -a && /root/bin/lectl -s -p && /root/bin/leinfo -s -g -a If all is right I get only emails with the renewals. Cheers, -vlado --Sig_/J/2KB2BG_mLclmP5fSkl1Ly Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEbaThuYKQgbbmDrVkkNGZEo7UTwEFAl12N3kACgkQkNGZEo7U TwFZuggAt63/ZJCos/YhBXhz/3/rh9TO+Qq6Sw7FnqoF8Y9cZrdLOMlluc3gh/Hj LzfUDnWiHz4gaC3J6TPaDqKx3OHDCilh2vo8LR9wSpOVMU8goRjeR1VXA2nCN5Wm H/dnHu+Y/RKPf0PkO6CkEwRUJrmP94jeSZJf8a8LPThWW9jBF0UcUMfvC6KA5A+h cnxROCeMeF+EzuaWLBxx6zymA+WWMS/4HHhbVhiA4rMw++C+IAHdDUp2x72uDksN YFAnAJHtcWvNOGVidXLTpg5l6vxaUycEAcS0YHmvF7MiJhgm3edSxqzwxH91Q+u4 zXbnMm0cVJa4m89yNu9fveAi6sE5Cw== =fX+l -----END PGP SIGNATURE----- --Sig_/J/2KB2BG_mLclmP5fSkl1Ly--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190909132857.3059896a>