Date: Mon, 09 Sep 2019 08:26:02 -0400 From: "Dan Langille" <dan@langille.org> To: "Thomas Zander via freebsd-security" <freebsd-security@freebsd.org> Subject: Re: Let's Encrypt Message-ID: <aa51af5b-c32e-47d1-9bf8-13e170c77f8b@www.fastmail.com> In-Reply-To: <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info> References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 9, 2019, at 6:12 AM, Trond Endrest=C3=B8l wrote: > On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote: >=20 > > The majority is for py-certbot, so I'll probably use it. Thank you. >=20 > I have found it prudent to run certbot twice a month from cron(8),=20 > just to be safe. >=20 > Last year, I had one case where the certificate expired a few hours=20= > before the next run of certbot. Had I run certbot on the 1st and on=20= > the 15th day of each month, then the certificates would have been=20 > updated ahead of their expiration. >=20 > E.g.: >=20 > #minute hour mday month wday who command >=20 > 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24=20 > stop" --post-hook "service apache24 start" > 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24=20= > stop" --post-hook "service apache24 start" Whereas, I run acme.sh on a daily basis. My goal: renew certificates at = their earliest possibility. This gives me the maximum time to fix any is= sues. I combine the above with monitoring to raise alerts if any tickets have = less than 28 days left before they expire. Should the cert-renewal process not run on a given day, no big deal, it = runs the next day. I had considered running it less frequently, but sett= led on daily.=20 --=20 Dan Langille dan@langille.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aa51af5b-c32e-47d1-9bf8-13e170c77f8b>