Date: Mon, 09 Sep 2019 08:26:02 -0400 From: "Dan Langille" <dan@langille.org> To: "Thomas Zander via freebsd-security" <freebsd-security@freebsd.org> Subject: Re: Let's Encrypt Message-ID: <aa51af5b-c32e-47d1-9bf8-13e170c77f8b@www.fastmail.com> In-Reply-To: <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info> References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 9, 2019, at 6:12 AM, Trond Endrestøl wrote: > On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote: > > > The majority is for py-certbot, so I'll probably use it. Thank you. > > I have found it prudent to run certbot twice a month from cron(8), > just to be safe. > > Last year, I had one case where the certificate expired a few hours > before the next run of certbot. Had I run certbot on the 1st and on > the 15th day of each month, then the certificates would have been > updated ahead of their expiration. > > E.g.: > > #minute hour mday month wday who command > > 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24 > stop" --post-hook "service apache24 start" > 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24 > stop" --post-hook "service apache24 start" Whereas, I run acme.sh on a daily basis. My goal: renew certificates at their earliest possibility. This gives me the maximum time to fix any issues. I combine the above with monitoring to raise alerts if any tickets have less than 28 days left before they expire. Should the cert-renewal process not run on a given day, no big deal, it runs the next day. I had considered running it less frequently, but settled on daily. -- Dan Langille dan@langille.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aa51af5b-c32e-47d1-9bf8-13e170c77f8b>