Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 9 Sep 2019 08:36:49 -0400
From:      Dan Langille <dan@langille.org>
To:        Andrea Venturoli <ml@netfence.it>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Let's Encrypt
Message-ID:  <570B03B2-AAE8-4C1E-A853-5CC481FBF887@langille.org>
In-Reply-To: <4fd6edce-5180-aab4-e265-bf30841d2065@netfence.it>
References:  <20190908145835.GA67269@admin.sibptus.ru> <20190909090605.GA97856@admin.sibptus.ru> <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info> <aa51af5b-c32e-47d1-9bf8-13e170c77f8b@www.fastmail.com> <4fd6edce-5180-aab4-e265-bf30841d2065@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help 
> On Sep 9, 2019, at 8:30 AM, Andrea Venturoli <ml@netfence.it> wrote:
>=20
> On 2019-09-09 14:26, Dan Langille wrote:
>=20
>> Whereas, I run acme.sh on a daily basis. My goal: renew certificates =
at their earliest possibility. This gives me the maximum time to fix any =
issues.
>> I combine the above with monitoring to raise alerts if any tickets =
have less than 28 days left before they expire.
>=20
> Same here: Nagios will alert me in case acme.sh is not doing its job =
(daily), although this has almost never happened.

My Nagios alerts are on the certs.  It monitors the certs on the =
services: e.g. www.freshports.org <http://www.freshports.org/>;

Those alerts let me know if there are any issues in the cert =
distribution chain: my certs are renewed on one host, and then =
automagically
deployed across multiple servers (and jails on other hosts).

I do not have Nagios monitoring day-to-day runs of acme.sh

I use the (relatively new) notify feature on acme.sh to tell me if there =
were any errors during the renewal process:

   https://github.com/Neilpang/acme.sh/wiki/notify =
<https://github.com/Neilpang/acme.sh/wiki/notify>;

Some might think: that's not good enough. What if cert fails to run and =
the certs don't get renewed in time?

Monitoring of the deployed scripts will let me know of that. Certs are =
renewed with 30 days remaining. Alerts trigger at 28-days.
That is enough time to fix anything broken.


=E2=80=94=20
Dan Langille
http://langille.org/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?570B03B2-AAE8-4C1E-A853-5CC481FBF887>