From owner-freebsd-questions@freebsd.org Sat Sep 12 18:58:44 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EED9A3E00C2 for ; Sat, 12 Sep 2020 18:58:43 +0000 (UTC) (envelope-from dalescott@shaw.ca) Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BphjY5xMBz4NTD for ; Sat, 12 Sep 2020 18:58:41 +0000 (UTC) (envelope-from dalescott@shaw.ca) Received: from cds220.dcs.int.inet ([10.0.153.144]) by shaw.ca with ESMTP id HAjOkGwpW195BHAjPk1Ccl; Sat, 12 Sep 2020 12:58:39 -0600 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shaw.ca; s=s20180605; t=1599937119; bh=5uCbJCM/XfwzVSvxI3QlBRKE+zbDKoCUn/wF7KOwnTU=; h=Date:From:To:Cc:In-Reply-To:References:Subject; b=Wx3alhr3WerFx1vMBCgvi1r8M5tUxI9d48L2FybvRsS/t3bhEc12KxIJQWcZnBE/Q Vwlg+P0m8W0aGiq/iD5NPcLyrch50JNnlPmeBqAzVyTn9R3A7sZmYLH/gGTVCwDWWv eTNchq8wlogSVYmgMsBPpNMpI6B0kFuO8mDeFhc9xIa0h/HxhJ2IYAKEATC488aJnM wPTnqzSseC6Elf7ere4OQBALj4/+mNn9Jl+rk1rEpvFBUjpFMZraOkHj0MwavUNJ18 mdWRlJgA3X88J3DfIdfhtckyBFnroxWEe+JToOQ6KCUCakgLPjWjs5u0MbUWXQO8t3 7RIqgqzWlk5xg== X-Authority-Analysis: v=2.4 cv=Wfqy12tX c=1 sm=1 tr=0 ts=5f5d1a5f a=YjOmSjUxhsfmstj0eziGpw==:117 a=FKkrIqjQGGEA:10 a=RDteU5_PNoYA:10 a=IkcTkHD0fZMA:10 a=4yi-b2ezAAAA:8 a=6I5d2MoRAAAA:8 a=ybZZDoGAAAAA:8 a=0PbZ9r5h6VcvqfHvg0oA:9 a=QEXdDO2ut3YA:10 a=TQxA5NB98t1WezocIkIN:22 a=IjZwj45LgO3ly-622nXo:22 a=0RhZnL1DYvcuLYC8JZ5M:22 Date: Sat, 12 Sep 2020 12:58:38 -0600 (MDT) From: Dale Scott To: Valeri Galtsev Cc: "Kevin P. Neal" , freebsd-questions Message-ID: <1326116098.397847941.1599937118319.JavaMail.zimbra@shaw.ca> In-Reply-To: <5B49B57A-4867-4081-8C55-5DCE95BC5B93@kicp.uchicago.edu> References: <20200912055706.GB19136@neutralgood.org> <5B49B57A-4867-4081-8C55-5DCE95BC5B93@kicp.uchicago.edu> Subject: Re: py37-certbot question MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [174.0.43.39, 174.0.43.39] X-Mailer: Zimbra 8.8.15_GA_3899 (ZimbraWebClient - GC85 (Linux)/8.8.15_GA_3895) Thread-Topic: py37-certbot question Thread-Index: PSHOMoX/cysxR5HAOIDARi+EX3Hjrw== X-CMAE-Envelope: MS4xfBG1/reVI/jVsqX0MBdNz5184speHN3tZTk/3Jkv9rNqKL+jH2IGRQ8/me6JQHBljH8y4oRgyiilZufrf49cfHom74HOfO2CBt1qWuXLB9artciUZxT8 TrBlAK+m3FBrO6sb0oTfw8trHNXY36GhjvEf8+hUxntwvI12smDjKtSD55i7xJ8/zm439XFat8I3qZ6Um/rEiVHNsXRgaVbyIydnlzaIFtaJS4A6Ua32/yUv 4A4wKMfcXY5pLI9TZnJfIFEBKTPOb8IgUuCeiXug5r8= X-Rspamd-Queue-Id: 4BphjY5xMBz4NTD X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=shaw.ca header.s=s20180605 header.b=Wx3alhr3; dmarc=pass (policy=none) header.from=shaw.ca; spf=pass (mx1.freebsd.org: domain of dalescott@shaw.ca designates 64.59.134.9 as permitted sender) smtp.mailfrom=dalescott@shaw.ca X-Spamd-Result: default: False [-3.46 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[shaw.ca:s=s20180605]; HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RWL_MAILSPIKE_GOOD(0.00)[64.59.134.9:from]; R_SPF_ALLOW(-0.20)[+ip4:64.59.134.0/25]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_NONE(0.00)[shaw.ca:dkim]; NEURAL_HAM_LONG(-0.99)[-0.993]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[shaw.ca:+]; DMARC_POLICY_ALLOW(-0.50)[shaw.ca,none]; NEURAL_HAM_SHORT(-0.33)[-0.333]; NEURAL_HAM_MEDIUM(-1.03)[-1.029]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions]; RCVD_IN_DNSWL_LOW(-0.10)[64.59.134.9:from] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2020 18:58:47 -0000 Keep in mind there are several use cases for LetsEncrypt. When I used LetsE= ncrypt to create a certificate I used the port 80 authentication method and= had to shutdown apache during the procedure (restarting afterwards). Using= certbot to renew the certificate is a different process and does not requi= re shutting down services using port 80. ----- Original Message ----- > From: "Valeri Galtsev" > To: "Kevin P. Neal" > Cc: "freebsd-questions" > Sent: Saturday, September 12, 2020 10:17:06 AM > Subject: Re: py37-certbot question >> On Sep 12, 2020, at 12:57 AM, Kevin P. Neal wrote: >>=20 >> On Thu, Sep 10, 2020 at 09:26:34PM -0600, Gary Aitken wrote: >>> On by fbsd system I manually renew. My notes from 2019 say it is neces= sary >>> to stop the server before renewing because certbot starts its own tempo= rary >>> one to do the upgrade. So I do the sequence: >>> service apache24 stop >>> certbot renew >>> service apache24 start >>>=20 >>> It may be the py37 version stops and restarts the server; I haven't tri= ed it >>> without stopping the server so I don't know. >>=20 >>> If it has been running weekly as a cron job, it should have been renewe= d >>> about three weeks ago. It should renew on the first attempt that is le= ss >>> than 30 days until expiration. So it sounds like it is attempting to >>> renew but failing. It may be that if the server isn't stopped it won't >>> renew because it can't acquire the necessary port. >>=20 >> Wait, that doesn't sound right. I never, ever stop services to run certb= ot >> renew. Ever. I have it so that it reaches into the DocumentRoot(s) of th= e >> relevant virtual server(s) for the verification step. Then I copy the ne= w >> certs to the relevant locations and bounce servers at that point. But a >> service outage is not required. >>=20 >> I even have my http servers redirect all traffic to the https server EXC= EPT >> for the certbot traffic. It's another example of mod_rewrite being one o= f >> the most powerful tools around IMHO. >>=20 >> [kpn@gunsight1 ~]$ pkg info | grep certbot >> py37-certbot-1.7.0,1 Let's Encrypt client >> [kpn@gunsight1 ~]$ >>=20 >=20 > Thank you, Gary and Kevin. I just had yet another cron.weekly happen this > morning, and the cert was not renewed. So, I run certbot renew manually, = and > restarted apache. My trouble is in the way I configured renewal cron job > following somebody=E2=80=99s HOWTO, I will switch back to just a cron job= with > appropriate explicit =E2=80=9Ccertbot renew =E2=80=A6=E2=80=9D command af= ter I check that python3 based > certbot does have --post-hook to restart apache in the event of successfu= l cert > renewal. >=20 > I=E2=80=99m sure Kevin is right: web server must be running when certbot = attempts to > renew cert. It is necessary, as LetsEncrypt verifies that whatever reques= ts > cert is capable of writing challenge sent to it into we directory. >=20 > Thanks again, everybody! >=20 > Valeri >=20 >> -- >> Kevin P. Neal http://www.pobox.com/~kpn/ >>=20 >> "What is mathematics? The age-old answer is, of course, that mathematics >> is what mathematicians do." - Donald Knuth >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.= org" >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg"