From owner-freebsd-security@freebsd.org Mon Sep 9 12:30:27 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EEDFCD0AE3 for ; Mon, 9 Sep 2019 12:30:27 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (net-2-44-121-52.cust.vodafonedsl.it [2.44.121.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mailserver.netfence.it", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46RnYt3Brpz3Qpx for ; Mon, 9 Sep 2019 12:30:25 +0000 (UTC) (envelope-from ml@netfence.it) Received: from guardian.ventu (89-97-212-98.ip19.fastwebnet.it [89.97.212.98]) (authenticated bits=0) by soth.netfence.it (8.15.2/8.15.2) with ESMTPSA id x89CUF3w070197 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 9 Sep 2019 14:30:17 +0200 (CEST) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host 89-97-212-98.ip19.fastwebnet.it [89.97.212.98] claimed to be guardian.ventu Subject: Re: Let's Encrypt To: Dan Langille , Thomas Zander via freebsd-security References: <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> From: Andrea Venturoli Message-ID: <4fd6edce-5180-aab4-e265-bf30841d2065@netfence.it> Date: Mon, 9 Sep 2019 14:30:15 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.83 X-Rspamd-Queue-Id: 46RnYt3Brpz3Qpx X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of ml@netfence.it has no SPF policy when checking 2.44.121.52) smtp.mailfrom=ml@netfence.it X-Spamd-Result: default: False [-2.86 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; IP_SCORE(-1.76)[ip: (-5.69), ipnet: 2.44.0.0/16(-2.85), asn: 30722(-0.28), country: IT(0.03)]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; DMARC_NA(0.00)[netfence.it]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:30722, ipnet:2.44.0.0/16, country:IT]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Sep 2019 12:30:28 -0000 On 2019-09-09 14:26, Dan Langille wrote: > Whereas, I run acme.sh on a daily basis. My goal: renew certificates at their earliest possibility. This gives me the maximum time to fix any issues. > > I combine the above with monitoring to raise alerts if any tickets have less than 28 days left before they expire. Same here: Nagios will alert me in case acme.sh is not doing its job (daily), although this has almost never happened. bye av.