From owner-freebsd-questions@freebsd.org Sat Sep 12 16:24:05 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5345F3DC65E for ; Sat, 12 Sep 2020 16:24:05 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70]) by mx1.freebsd.org (Postfix) with ESMTP id 4BpdH844vgz4B6P for ; Sat, 12 Sep 2020 16:24:04 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from [192.168.43.231] (unknown [172.58.142.139]) (Authenticated sender: galtsev) by kicp.uchicago.edu (Postfix) with ESMTPSA id 132DE4E64D; Sat, 12 Sep 2020 11:17:08 -0500 (CDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\)) Subject: Re: py37-certbot question From: Valeri Galtsev In-Reply-To: <20200912055706.GB19136@neutralgood.org> Date: Sat, 12 Sep 2020 11:17:06 -0500 Cc: Gary Aitken , FreeBSD Mailing List Content-Transfer-Encoding: quoted-printable Message-Id: <5B49B57A-4867-4081-8C55-5DCE95BC5B93@kicp.uchicago.edu> References: <20200912055706.GB19136@neutralgood.org> To: "Kevin P. Neal" X-Mailer: Apple Mail (2.3608.120.23.2.1) X-Rspamd-Queue-Id: 4BpdH844vgz4B6P X-Spamd-Bar: ++++++++++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=uchicago.edu (policy=none); spf=none (mx1.freebsd.org: domain of galtsev@kicp.uchicago.edu has no SPF policy when checking 128.135.20.70) smtp.mailfrom=galtsev@kicp.uchicago.edu X-Spamd-Result: default: False [12.07 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RECEIVED_SPAMHAUS_CSS(4.00)[172.58.142.139:received]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MV_CASE(0.50)[]; RECEIVED_SPAMHAUS_XBL(5.00)[172.58.142.139:received]; MIME_GOOD(-0.10)[text/plain]; NEURAL_SPAM_SHORT(0.64)[0.636]; NEURAL_SPAM_MEDIUM(0.87)[0.875]; GREYLIST(0.00)[pass,body]; RECEIVED_SPAMHAUS_PBL(0.00)[172.58.142.139:received]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_SPAM_LONG(0.96)[0.956]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:160, ipnet:128.135.0.0/16, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions]; DMARC_POLICY_SOFTFAIL(0.10)[uchicago.edu : No valid SPF, No valid DKIM,none] X-Spam: Yes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2020 16:24:05 -0000 > On Sep 12, 2020, at 12:57 AM, Kevin P. Neal = wrote: >=20 > On Thu, Sep 10, 2020 at 09:26:34PM -0600, Gary Aitken wrote: >> On by fbsd system I manually renew. My notes from 2019 say it is = necessary >> to stop the server before renewing because certbot starts its own = temporary >> one to do the upgrade. So I do the sequence: >> service apache24 stop >> certbot renew >> service apache24 start >>=20 >> It may be the py37 version stops and restarts the server; I haven't = tried it >> without stopping the server so I don't know. >=20 >> If it has been running weekly as a cron job, it should have been = renewed >> about three weeks ago. It should renew on the first attempt that is = less >> than 30 days until expiration. So it sounds like it is attempting to >> renew but failing. It may be that if the server isn't stopped it = won't >> renew because it can't acquire the necessary port. >=20 > Wait, that doesn't sound right. I never, ever stop services to run = certbot > renew. Ever. I have it so that it reaches into the DocumentRoot(s) of = the > relevant virtual server(s) for the verification step. Then I copy the = new > certs to the relevant locations and bounce servers at that point. But = a > service outage is not required. >=20 > I even have my http servers redirect all traffic to the https server = EXCEPT > for the certbot traffic. It's another example of mod_rewrite being one = of > the most powerful tools around IMHO. >=20 > [kpn@gunsight1 ~]$ pkg info | grep certbot > py37-certbot-1.7.0,1 Let's Encrypt client > [kpn@gunsight1 ~]$=20 >=20 Thank you, Gary and Kevin. I just had yet another cron.weekly happen = this morning, and the cert was not renewed. So, I run certbot renew = manually, and restarted apache. My trouble is in the way I configured = renewal cron job following somebody=E2=80=99s HOWTO, I will switch back = to just a cron job with appropriate explicit =E2=80=9Ccertbot renew = =E2=80=A6=E2=80=9D command after I check that python3 based certbot does = have --post-hook to restart apache in the event of successful cert = renewal. I=E2=80=99m sure Kevin is right: web server must be running when certbot = attempts to renew cert. It is necessary, as LetsEncrypt verifies that = whatever requests cert is capable of writing challenge sent to it into = we directory. Thanks again, everybody! Valeri > --=20 > Kevin P. Neal = http://www.pobox.com/~kpn/ >=20 > "What is mathematics? The age-old answer is, of course, that = mathematics > is what mathematicians do." - Donald Knuth > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org"