From owner-freebsd-questions@freebsd.org  Thu Sep 10 21:48:23 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 81CB23E4CD3
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Thu, 10 Sep 2020 21:48:23 +0000 (UTC)
 (envelope-from galtsev@kicp.uchicago.edu)
Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70])
 by mx1.freebsd.org (Postfix) with ESMTP id 4BnXZG2wG1z4h1B
 for <freebsd-questions@freebsd.org>; Thu, 10 Sep 2020 21:48:22 +0000 (UTC)
 (envelope-from galtsev@kicp.uchicago.edu)
Received: from point.uchicago.edu (point.uchicago.edu [128.135.52.6])
 (Authenticated sender: galtsev)
 by kicp.uchicago.edu (Postfix) with ESMTPSA id 67A1C4E694
 for <freebsd-questions@freebsd.org>; Thu, 10 Sep 2020 16:48:16 -0500 (CDT)
To: FreeBSD Mailing List <freebsd-questions@freebsd.org>
From: Valeri Galtsev <galtsev@kicp.uchicago.edu>
Subject: py37-certbot question
Message-ID: <f3481d62-9c16-4740-f1b1-c808beb5998c@kicp.uchicago.edu>
Date: Thu, 10 Sep 2020 16:48:16 -0500
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101
 Thunderbird/68.12.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4BnXZG2wG1z4h1B
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org; dkim=none;
 dmarc=fail reason="No valid SPF, No valid DKIM" header.from=uchicago.edu
 (policy=none); 
 spf=none (mx1.freebsd.org: domain of galtsev@kicp.uchicago.edu has no SPF
 policy when checking 128.135.20.70) smtp.mailfrom=galtsev@kicp.uchicago.edu
X-Spamd-Result: default: False [-0.01 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 NEURAL_HAM_LONG(-0.13)[-0.135]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 NEURAL_SPAM_MEDIUM(0.10)[0.102]; RCPT_COUNT_ONE(0.00)[1];
 TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-0.08)[-0.079];
 R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:160, ipnet:128.135.0.0/16, country:US];
 RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions];
 DMARC_POLICY_SOFTFAIL(0.10)[uchicago.edu : No valid SPF, No valid DKIM,none]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 21:48:23 -0000

Dear Experts,

I hope, someone knows details of python3 based certbot. Namely, if run 
with "update" command, it updated certificates that will expire "soon". 
How soon, it doesn't say in man page, just soon. Does someone know how 
close to expiration cert should be to be considered by the script for 
renewal.

I use certbot since its python 2 version - for quite some time actually 
to renew LetsEncrypt certificates. With python2 version in the past I 
run cron job daily and I was restarting apache from that same script if 
certificate was updated. With python3 version when I switched to it I 
followed somebody's HOWTO, and just added to /etc/periodic.conf:

weekly_certbot_enable="YES"
weekly_certbot_service="apache24"

And was living happily ever since. However, one of the machines is about 
4 days before expiration, Letsencrypt sent me notification: update cert. 
I checked, and crond is runnning, /etc/periodic.conf is as expected, and 
now, 4 days before expiration script (with --dry run flag) indeed goes 
about renewing the cert. There is one weekly cron jobs set that will 
happen before actual expiration of my certs, so I somehow think all is 
OK and my cert will be renewed.

But I am just curios how many days before expiration certbot does renew 
certificate that will expire "soon".


Or should I probably switch it over to daily cron job?

As every lazy sysadmin, I do prefer to set things up so they definitely 
work without my attention. And I do not want to be reminded to do 
something it it will still happen on its own. So, switch to daily cron job?


Thanks.
Valeri

-- 
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++