From owner-freebsd-security@freebsd.org Mon Sep 9 11:29:05 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 119A5F5F38 for ; Mon, 9 Sep 2019 11:29:05 +0000 (UTC) (envelope-from vbotka@gmail.com) Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46RmC40cNHz3LhJ for ; Mon, 9 Sep 2019 11:29:03 +0000 (UTC) (envelope-from vbotka@gmail.com) Received: by mail-wm1-x335.google.com with SMTP id t9so14207965wmi.5 for ; Mon, 09 Sep 2019 04:29:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:in-reply-to:references :organization:mime-version; bh=yyt6D7LJzIaTMK14Gjde9r46bBDG9jfxcxp6spbVonU=; b=PpEFiBmHlkH1D5VuhJk2SoKQmpTVRYburUgUuaeOyi1X2rBoLOLqgmjElrya8WsBg3 w9TepBZIpYAW1v3wVLdPXww1+W/BeTzGO1YResAt/uoL1VNjklIr0ZpSInlzB025LTC6 JY8UGDTNv9o/EuLJN9N6+I+sR/BM2KaTMA8tz88fN1TX4HyGBXs5ehXtHXfmsz3gdUqX Ynn3IiT8P20JOeMoo49GLBKTyBGsQuKepD1yEtkiVnZUxgAVxfmBdpPvvrY83zVlWnv9 /MU/cFxYTwoLklOms4w7NYxdS1CpVHXAiTJSl81fB/ujN1wjY7ipAx3INpb/qN7owkow g5sA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:organization:mime-version; bh=yyt6D7LJzIaTMK14Gjde9r46bBDG9jfxcxp6spbVonU=; b=HSBwIX9J6kEHwdg7ZoE/Cv4aa9NkFGkVXc5KR6MpaTXnenNkkyWC1i84L8vGBk6yEF XvUiu8Ff2oczEUohrs4ZGJADr7w3QEsyA9BsKaL7Tzjw9K4S+DEfDc2leAnNlHvFKvp3 +XlxJtfnLXt2/O3ZKC+dYoMxdd0ujXNtSMWAkG4JYnEcrhD3UrtU+flZossGzRPLHPiN gF9D+I9BXnG8O9sRXBwtV/1LWVQ7L5oC3jtASKSYylAeNcM5X+zP1zn9Eg7Eavexw3RT UtkMafvYM7C/7AIodsRUR3dB/LrDRcrMzHBM4dgliv9oCWqQFcj93/O8a4xNWUXyyMHq CrFA== X-Gm-Message-State: APjAAAW4d/W4WsnrUrYPgKEJ0tKWvaceW6VHVudBnZnfCpzwrYVXPyY/ IW+TdULecDi1yVpGh0sMK8DZMgZg X-Google-Smtp-Source: APXvYqwD5p+qVUCDwXLjlhiVR4YJ7uwSUQ+a+LhoGeNBYXgAqlfW03mM32VeN7Hyn8gkZeg0T1uOVg== X-Received: by 2002:a1c:1dd4:: with SMTP id d203mr19088694wmd.45.1568028542326; Mon, 09 Sep 2019 04:29:02 -0700 (PDT) Received: from localhost (92-245-202-144.satronet.sk. [92.245.202.144]) by smtp.gmail.com with ESMTPSA id l1sm15694244wrb.1.2019.09.09.04.28.58 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 09 Sep 2019 04:28:59 -0700 (PDT) Date: Mon, 9 Sep 2019 13:28:57 +0200 From: Vladimir Botka To: Trond =?UTF-8?B?RW5kcmVzdMO4bA==?= Cc: Victor Sudakov , freebsd-security@freebsd.org Subject: Re: Let's Encrypt Message-ID: <20190909132857.3059896a@gmail.com> In-Reply-To: References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> Organization: na X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/J/2KB2BG_mLclmP5fSkl1Ly"; protocol="application/pgp-signature" X-Rspamd-Queue-Id: 46RmC40cNHz3LhJ X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=PpEFiBmH; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of vbotka@gmail.com designates 2a00:1450:4864:20::335 as permitted sender) smtp.mailfrom=vbotka@gmail.com X-Spamd-Result: default: False [-5.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; HAS_ORG_HEADER(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(0.00)[ip: (-9.44), ipnet: 2a00:1450::/32(-2.97), asn: 15169(-2.27), country: US(-0.05)]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[5.3.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Sep 2019 11:29:05 -0000 --Sig_/J/2KB2BG_mLclmP5fSkl1Ly Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, 9 Sep 2019 12:12:55 +0200 (CEST) Trond Endrest=C3=B8l wrote: > On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote: >=20 > > The majority is for py-certbot, so I'll probably use it. Thank you. =20 >=20 > I have found it prudent to run certbot twice a month from cron(8),=20 > just to be safe. >=20 > Last year, I had one case where the certificate expired a few hours=20 > before the next run of certbot. Had I run certbot on the 1st and on=20 > the 15th day of each month, then the certificates would have been=20 > updated ahead of their expiration. >=20 > E.g.: >=20 > #minute hour mday month wday who command >=20 > 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 stop" = --post-hook "service apache24 start" > 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 stop"= --post-hook "service apache24 start" I believe --dry-run renewal is encouraged. Both for testing on the development side and to be sure all is running well on the user's side. See "Help us test renewal with =E2=80=9Cletsencrypt renew=E2=80=9D https://community.letsencrypt.org/t/help-us-test-renewal-with-letsencrypt-r= enew/10562 Q. What=E2=80=99s the new --dry-run flag? A. The new --dry-run flag for both certonly and renew performs the certificate request(s) against the staging server, which issues test certificates that are not trusted by browsers. This verifies whether you=E2= =80=99re apparently able to get a certificate, in your current configuration, using the method that you specified (for example, if you were using webroot authentication, whether your webroot configuration is capable of being validated by the CA). With --dry-run, the certificates obtained are not actually saved to disk and your configuration is not updated. You can use this to simulate what would apparently happen if you ran the command without --dry-run. FWIW, here is the link to my wrappers for certbot (last update June 2018) https://github.com/vbotka/le-utils For example below is a fragment from crontab. 1) Daily send email with certificates that expire within 30 days. 2) Daily dry-run renew all certificates. 3) Daily renew certificates that expire within 30 days. #Ansible: check expiry of certificates 15 2 * * * /root/bin/leinfo -e --Days=3D30 -a #Ansible: dry-run renewal of certificates 20 2 * * * /root/bin/lectl -s -n -c -a #Ansible: renewal of certificates 20 3 * * * /root/bin/lectl -s -D=3D30 -c -a && /root/bin/lectl -s -p && /root/bin/leinfo -s -g -a If all is right I get only emails with the renewals. Cheers, -vlado --Sig_/J/2KB2BG_mLclmP5fSkl1Ly Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEbaThuYKQgbbmDrVkkNGZEo7UTwEFAl12N3kACgkQkNGZEo7U TwFZuggAt63/ZJCos/YhBXhz/3/rh9TO+Qq6Sw7FnqoF8Y9cZrdLOMlluc3gh/Hj LzfUDnWiHz4gaC3J6TPaDqKx3OHDCilh2vo8LR9wSpOVMU8goRjeR1VXA2nCN5Wm H/dnHu+Y/RKPf0PkO6CkEwRUJrmP94jeSZJf8a8LPThWW9jBF0UcUMfvC6KA5A+h cnxROCeMeF+EzuaWLBxx6zymA+WWMS/4HHhbVhiA4rMw++C+IAHdDUp2x72uDksN YFAnAJHtcWvNOGVidXLTpg5l6vxaUycEAcS0YHmvF7MiJhgm3edSxqzwxH91Q+u4 zXbnMm0cVJa4m89yNu9fveAi6sE5Cw== =fX+l -----END PGP SIGNATURE----- --Sig_/J/2KB2BG_mLclmP5fSkl1Ly--