From owner-freebsd-questions@freebsd.org  Fri Sep 11 03:30:16 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6D7B33EB46D
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Fri, 11 Sep 2020 03:30:16 +0000 (UTC)
 (envelope-from freebsd@dreamchaser.org)
Received: from nightmare.dreamchaser.org (ns.dreamchaser.org [66.109.141.57])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (Client CN "dreamchaser.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Bnh8k64vYz3VWV
 for <freebsd-questions@freebsd.org>; Fri, 11 Sep 2020 03:30:14 +0000 (UTC)
 (envelope-from freebsd@dreamchaser.org)
Received: from breakaway.dreamchaser.org (breakaway [192.168.151.122])
 by nightmare.dreamchaser.org (8.15.2/8.15.2) with ESMTP id 08B3UDAm043233;
 Thu, 10 Sep 2020 21:30:13 -0600 (MDT)
 (envelope-from freebsd@dreamchaser.org)
From: Gary Aitken <freebsd@dreamchaser.org>
Subject: Re: py37-certbot question
To: Valeri Galtsev <galtsev@kicp.uchicago.edu>,
 FreeBSD Mailing List <freebsd-questions@freebsd.org>
References: <f3481d62-9c16-4740-f1b1-c808beb5998c@kicp.uchicago.edu>
Reply-To: freebsd@dreamchaser.org
Message-ID: <f787760e-cc26-680b-a9b2-12898ae9d519@dreamchaser.org>
Date: Thu, 10 Sep 2020 21:26:34 -0600
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101
 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <f3481d62-9c16-4740-f1b1-c808beb5998c@kicp.uchicago.edu>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2
 (nightmare.dreamchaser.org [192.168.151.101]);
 Thu, 10 Sep 2020 21:30:13 -0600 (MDT)
X-Rspamd-Queue-Id: 4Bnh8k64vYz3VWV
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of freebsd@dreamchaser.org designates
 66.109.141.57 as permitted sender) smtp.mailfrom=freebsd@dreamchaser.org
X-Spamd-Result: default: False [-2.98 / 15.00]; ARC_NA(0.00)[];
 HAS_REPLYTO(0.00)[freebsd@dreamchaser.org];
 MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+mx:c]; NEURAL_HAM_LONG(-1.02)[-1.016];
 MIME_GOOD(-0.10)[text/plain]; REPLYTO_ADDR_EQ_FROM(0.00)[];
 DMARC_NA(0.00)[dreamchaser.org]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-0.67)[-0.669];
 RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_MEDIUM(-1.00)[-0.996];
 RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:21947, ipnet:66.109.128.0/19, country:US];
 RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 03:30:16 -0000

On 9/10/20 3:48 PM, Valeri Galtsev wrote:

> I hope, someone knows details of python3 based certbot. Namely, if
> run with "update" command, it updated certificates that will expire
> "soon". How soon, it doesn't say in man page, just soon. Does someone
> know how close to expiration cert should be to be considered by the
> script for renewal.

30 days.  If you try to renew before that it doesn't renew.
Unfortunately, that's less than the 31 days in some months, so a monthly
cron job won't do it.

I work on a ubuntu system with it set to weekly and for the first two
months I get a weekly report from the cron job showing it tried to renew
but didn't because there was too much time left on the certs.

On by fbsd system I manually renew.  My notes from 2019 say it is necessary
to stop the server before renewing because certbot starts its own temporary
one to do the upgrade.  So I do the sequence:
   service apache24 stop
   certbot renew
   service apache24 start

It may be the py37 version stops and restarts the server; I haven't tried it
without stopping the server so I don't know.

> I use certbot since its python 2 version - for quite some time
> actually to renew LetsEncrypt certificates. With python2 version in
> the past I run cron job daily and I was restarting apache from that
> same script if certificate was updated. With python3 version when I
> switched to it I followed somebody's HOWTO, and just added to
> /etc/periodic.conf:
> 
> weekly_certbot_enable="YES" weekly_certbot_service="apache24"
> 
> And was living happily ever since. However, one of the machines is
> about 4 days before expiration, Letsencrypt sent me notification:
> update cert. I checked, and crond is runnning, /etc/periodic.conf is
> as expected, and now, 4 days before expiration script (with --dry run
> flag) indeed goes about renewing the cert. There is one weekly cron
> jobs set that will happen before actual expiration of my certs, so I
> somehow think all is OK and my cert will be renewed.
> 
> But I am just curios how many days before expiration certbot does
> renew certificate that will expire "soon".

If it has been running weekly as a cron job, it should have been renewed
about three weeks ago.  It should renew on the first attempt that is less
than 30 days until expiration.  So it sounds like it is attempting to
renew but failing.  It may be that if the server isn't stopped it won't
renew because it can't acquire the necessary port.

> Or should I probably switch it over to daily cron job?

That should not be necessary; weekly will work.

Gary