From owner-freebsd-security@freebsd.org Mon Sep 9 12:26:26 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C8842D078F for ; Mon, 9 Sep 2019 12:26:26 +0000 (UTC) (envelope-from dan@langille.org) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46RnTF40sQz3QW5 for ; Mon, 9 Sep 2019 12:26:25 +0000 (UTC) (envelope-from dan@langille.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id AC7FB21B84 for ; Mon, 9 Sep 2019 08:26:23 -0400 (EDT) Received: from imap36 ([10.202.2.86]) by compute4.internal (MEProxy); Mon, 09 Sep 2019 08:26:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=O7/Pb Z1HZfxxfinUNBMg8Y7NGogyprxhgUzd0lS4fXE=; b=EHcAueubje9jO949t2Ti6 Q20rlMx0mX2oFNm4Ka8m/Tsgzi1pA48y81Epu3RUwJSRA2Wwgm/EEydWfEYKLr/2 WriPrQwREr3PUsI2HPn2fE/U/14luLblcgjpCLcB3RWMQTp3tODghTCLyREVSLKv 9J1gj8dSSKW3UMF9ItwVwDMV+kgZNeXbp46kU0l3Cbqiu50BkYrgl6FCMR5BYCC+ noJOKmGAbI9toL0SXZh3GeFxV6OG1ZbQF3PBSWitCmGmO4mn/iiRD3yW5tUJgr0a 3bzz5Gma3Ne82SEMmRIqPiYfTSWNxZe26r+G+6yRWsHU/C+GdjshTtHZvfZAccHu g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=O7/PbZ1HZfxxfinUNBMg8Y7NGogyprxhgUzd0lS4f XE=; b=U1VcuD7ZQBBy9RHL2BzSnABcAfyUiISsFs/kFTFyJwxozumtJC87Ld6pV RdZXa+jzbBKzYXIoSQs/QjsUwmhAfjQdPpRs1+IZjdr9Kso/JGSzdpHfi5mEqrCY 4IOrZkim3IUJww+miGnILL3bJlBSbVt9MRgPX55Yu6WrS2FwMOKrpYzIgloGPb0v nbWFYnFFjlHCiYw4LinzavrAwEKkf50VuERtY0IaaL7CQqrRv9bWoaWTZE9j4+Qz snYvCN431wNEvOO9F314snLZC3oPIcvQvzF75q1gJc/T1dsyP+Db9gHplxcm7x8V cTbr732q+NWe85jmmdvnc1TDJyT7w== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrudekiedghedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfffgr nhcunfgrnhhgihhllhgvfdcuoegurghnsehlrghnghhilhhlvgdrohhrgheqnecurfgrrh grmhepmhgrihhlfhhrohhmpegurghnsehlrghnghhilhhlvgdrohhrghenucevlhhushht vghrufhiiigvpedt X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 480E512200A2; Mon, 9 Sep 2019 08:26:23 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.1.7-188-g385deb1-fmstable-20190905v2 Mime-Version: 1.0 Message-Id: In-Reply-To: References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> Date: Mon, 09 Sep 2019 08:26:02 -0400 From: "Dan Langille" To: "Thomas Zander via freebsd-security" Subject: Re: Let's Encrypt Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 46RnTF40sQz3QW5 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=langille.org header.s=fm2 header.b=EHcAueub; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=U1VcuD7Z; dmarc=pass (policy=none) header.from=langille.org; spf=pass (mx1.freebsd.org: domain of dan@langille.org designates 66.111.4.25 as permitted sender) smtp.mailfrom=dan@langille.org X-Spamd-Result: default: False [-5.55 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[langille.org:s=fm2,messagingengine.com:s=fm3]; XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.25]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[4]; IP_SCORE(-3.46)[ip: (-9.74), ipnet: 66.111.4.0/24(-4.84), asn: 11403(-2.68), country: US(-0.05)]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[langille.org:+,messagingengine.com:+]; DMARC_POLICY_ALLOW(-0.50)[langille.org,none]; MV_CASE(0.50)[]; RCVD_IN_DNSWL_LOW(-0.10)[25.4.111.66.list.dnswl.org : 127.0.5.1]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; MID_RHS_WWW(0.50)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Sep 2019 12:26:26 -0000 On Mon, Sep 9, 2019, at 6:12 AM, Trond Endrest=C3=B8l wrote: > On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote: >=20 > > The majority is for py-certbot, so I'll probably use it. Thank you. >=20 > I have found it prudent to run certbot twice a month from cron(8),=20 > just to be safe. >=20 > Last year, I had one case where the certificate expired a few hours=20= > before the next run of certbot. Had I run certbot on the 1st and on=20= > the 15th day of each month, then the certificates would have been=20 > updated ahead of their expiration. >=20 > E.g.: >=20 > #minute hour mday month wday who command >=20 > 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24=20 > stop" --post-hook "service apache24 start" > 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24=20= > stop" --post-hook "service apache24 start" Whereas, I run acme.sh on a daily basis. My goal: renew certificates at = their earliest possibility. This gives me the maximum time to fix any is= sues. I combine the above with monitoring to raise alerts if any tickets have = less than 28 days left before they expire. Should the cert-renewal process not run on a given day, no big deal, it = runs the next day. I had considered running it less frequently, but sett= led on daily.=20 --=20 Dan Langille dan@langille.org