From owner-freebsd-security@freebsd.org  Mon Sep  9 12:36:52 2019
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 096A1D1154
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Mon,  9 Sep 2019 12:36:52 +0000 (UTC)
 (envelope-from dan@langille.org)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com
 [66.111.4.25])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 46RnjH2qhwz3wh7
 for <freebsd-security@freebsd.org>; Mon,  9 Sep 2019 12:36:51 +0000 (UTC)
 (envelope-from dan@langille.org)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id B741C21BBE;
 Mon,  9 Sep 2019 08:36:50 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute4.internal (MEProxy); Mon, 09 Sep 2019 08:36:50 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h=
 from:message-id:content-type:mime-version:subject:date
 :in-reply-to:cc:to:references; s=fm2; bh=y6CsT21onhMcLZbQYcSG92q
 BDEChIUcxmfRxfapdDUo=; b=AIZ4iAzUmnt6SSSnWj28+D1Jl/AlejV66V81xBA
 XYSna4ffiwawnDujU8kUTkFF/bp437sRIoVjbibi2eTCj9ZIg5D11FllHqmpdsZL
 nQ2oDAG1QePvKnIW1lrzsW7S071U6jM3sqFG7Vc7wtfLKwuUWJlgy2LABoaGTvNB
 P7vktwQh38dlQ5taEpAWDoOmGmg4lQMHOpLLIuT2vtaG5QpSXTAIHF1AP8uXKFMm
 pp0XmvOIirzPG3kKNZhmIPSBUsliQ7wg1FvYsClZKqGRCdzHagc2JSblEnpTDpGl
 D+iZwFbZJVy+JuUsxr3By4jML6s9rStNszmwqfxakw+hU0w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=y6CsT2
 1onhMcLZbQYcSG92qBDEChIUcxmfRxfapdDUo=; b=Eg1O5nTJAn96F49pR9Z3jv
 j2qT2usNAu5ey4bOy3x/Bi//Qn2tboxrJplVg7gVLvg+Fh9z5Nd64HZwxnOVoGG8
 2MYa8t3+mD5UPyLKvnHrI4Mz3gWY/e5CTT912vFyFiZqBc+mucjutOHfLuEAQReS
 Gt7jhXsERnhE5sPmRdHSjkuBnjBxV0q/SYe03exj4e+alzuHMO2l43It04jMMxIA
 CINZvngNtJIxIPlB+ZqlpEZZPaPvF1OSaQUWFyz2zQwvFJ1Ur5zwCXRJ2ewjH0Em
 LCo2RmtGuJfX+rROwul54ecGbd1d+DRPdeXDF6uqeoz+hZ7vDRtb4woTUrD5h6AQ
 ==
X-ME-Sender: <xms:Ykd2XShOg_TxoejquSbg8DJx2qWjpFZJ2qWwFHOSE3Pcxi-YCLMgQg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrudekiedgheefucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefhkfgtggfuffgjvfhfofesrgdtmh
 erhhdtjeenucfhrhhomhepffgrnhcunfgrnhhgihhllhgvuceouggrnheslhgrnhhgihhl
 lhgvrdhorhhgqeenucffohhmrghinheplhgrnhhgihhllhgvrdhorhhgpdhgihhthhhusg
 drtghomhdpfhhrvghshhhpohhrthhsrdhorhhgnecukfhppedutddtrddugedrvddtgedr
 feefnecurfgrrhgrmhepmhgrihhlfhhrohhmpegurghnsehlrghnghhilhhlvgdrohhrgh
 enucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:Ykd2XWt4cchxR9gU2q6Ne4OkKC_sPWee3d9Ae1PgKGsy0zE8Y_hVow>
 <xmx:Ykd2XT7C519ApWaxlFoxfcWUd-faE0ZPyRb53lxHvsvWuTCHoAT-1w>
 <xmx:Ykd2XSPYRsfxP1kNR9_SuOkZiwWfECYWYsl8C1zkS-EaXVBnni2i4g>
 <xmx:Ykd2XTxqstXxrPNIdcE5dkckuMghazLBzuC0kUdunFM8Am24QDC7HQ>
Received: from pro02.int.unixathome.org
 (pool-100-14-204-33.phlapa.fios.verizon.net [100.14.204.33])
 by mail.messagingengine.com (Postfix) with ESMTPA id 5A7B5D60067;
 Mon,  9 Sep 2019 08:36:50 -0400 (EDT)
From: Dan Langille <dan@langille.org>
Message-Id: <570B03B2-AAE8-4C1E-A853-5CC481FBF887@langille.org>
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Subject: Re: Let's Encrypt
Date: Mon, 9 Sep 2019 08:36:49 -0400
In-Reply-To: <4fd6edce-5180-aab4-e265-bf30841d2065@netfence.it>
Cc: freebsd-security@freebsd.org
To: Andrea Venturoli <ml@netfence.it>
References: <20190908145835.GA67269@admin.sibptus.ru>
 <20190909090605.GA97856@admin.sibptus.ru>
 <alpine.BSF.2.21.99999.352.1909091206360.18927@enterprise.ximalas.info>
 <aa51af5b-c32e-47d1-9bf8-13e170c77f8b@www.fastmail.com>
 <4fd6edce-5180-aab4-e265-bf30841d2065@netfence.it>
X-Mailer: Apple Mail (2.3445.104.11)
X-Rspamd-Queue-Id: 46RnjH2qhwz3wh7
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=langille.org header.s=fm2 header.b=AIZ4iAzU;
 dkim=pass header.d=messagingengine.com header.s=fm3 header.b=Eg1O5nTJ;
 dmarc=pass (policy=none) header.from=langille.org;
 spf=pass (mx1.freebsd.org: domain of dan@langille.org designates 66.111.4.25
 as permitted sender) smtp.mailfrom=dan@langille.org
X-Spamd-Result: default: False [-5.06 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[];
 R_DKIM_ALLOW(-0.20)[langille.org:s=fm2,messagingengine.com:s=fm3];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.25];
 MV_CASE(0.50)[];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 URI_COUNT_ODD(1.00)[15]; RCVD_COUNT_THREE(0.00)[4];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[langille.org:+,messagingengine.com:+];
 RCPT_COUNT_TWO(0.00)[2];
 DMARC_POLICY_ALLOW(-0.50)[langille.org,none];
 IP_SCORE(-3.46)[ip: (-9.74), ipnet: 66.111.4.0/24(-4.84), asn: 11403(-2.68),
 country: US(-0.05)]; 
 RCVD_IN_DNSWL_LOW(-0.10)[25.4.111.66.list.dnswl.org : 127.0.5.1];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~];
 ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US];
 MID_RHS_MATCH_FROM(0.00)[]
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2019 12:36:52 -0000

> On Sep 9, 2019, at 8:30 AM, Andrea Venturoli <ml@netfence.it> wrote:
>=20
> On 2019-09-09 14:26, Dan Langille wrote:
>=20
>> Whereas, I run acme.sh on a daily basis. My goal: renew certificates =
at their earliest possibility. This gives me the maximum time to fix any =
issues.
>> I combine the above with monitoring to raise alerts if any tickets =
have less than 28 days left before they expire.
>=20
> Same here: Nagios will alert me in case acme.sh is not doing its job =
(daily), although this has almost never happened.

My Nagios alerts are on the certs.  It monitors the certs on the =
services: e.g. www.freshports.org <http://www.freshports.org/>

Those alerts let me know if there are any issues in the cert =
distribution chain: my certs are renewed on one host, and then =
automagically
deployed across multiple servers (and jails on other hosts).

I do not have Nagios monitoring day-to-day runs of acme.sh

I use the (relatively new) notify feature on acme.sh to tell me if there =
were any errors during the renewal process:

   https://github.com/Neilpang/acme.sh/wiki/notify =
<https://github.com/Neilpang/acme.sh/wiki/notify>

Some might think: that's not good enough. What if cert fails to run and =
the certs don't get renewed in time?

Monitoring of the deployed scripts will let me know of that. Certs are =
renewed with 30 days remaining. Alerts trigger at 28-days.
That is enough time to fix anything broken.


=E2=80=94=20
Dan Langille
http://langille.org/