From owner-freebsd-questions@freebsd.org Sat Sep 12 19:22:45 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3C9C33E0E1E for ; Sat, 12 Sep 2020 19:22:45 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70]) by mx1.freebsd.org (Postfix) with ESMTP id 4BpjFJ1mqHz4Qjf for ; Sat, 12 Sep 2020 19:22:44 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from [192.168.43.231] (unknown [172.58.142.139]) (Authenticated sender: galtsev) by kicp.uchicago.edu (Postfix) with ESMTPSA id 6A19B4E652; Sat, 12 Sep 2020 14:22:43 -0500 (CDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\)) Subject: Re: py37-certbot question From: Valeri Galtsev In-Reply-To: <1326116098.397847941.1599937118319.JavaMail.zimbra@shaw.ca> Date: Sat, 12 Sep 2020 14:22:41 -0500 Cc: "Kevin P. Neal" , freebsd-questions Content-Transfer-Encoding: quoted-printable Message-Id: <17D28CE2-BC63-4CC2-BB4E-9436BF0530B1@kicp.uchicago.edu> References: <20200912055706.GB19136@neutralgood.org> <5B49B57A-4867-4081-8C55-5DCE95BC5B93@kicp.uchicago.edu> <1326116098.397847941.1599937118319.JavaMail.zimbra@shaw.ca> To: Dale Scott X-Mailer: Apple Mail (2.3608.120.23.2.1) X-Rspamd-Queue-Id: 4BpjFJ1mqHz4Qjf X-Spamd-Bar: +++++++++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=uchicago.edu (policy=none); spf=none (mx1.freebsd.org: domain of galtsev@kicp.uchicago.edu has no SPF policy when checking 128.135.20.70) smtp.mailfrom=galtsev@kicp.uchicago.edu X-Spamd-Result: default: False [11.80 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RECEIVED_SPAMHAUS_CSS(4.00)[172.58.142.139:received]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MV_CASE(0.50)[]; RECEIVED_SPAMHAUS_XBL(5.00)[172.58.142.139:received]; MIME_GOOD(-0.10)[text/plain]; NEURAL_SPAM_SHORT(0.32)[0.317]; NEURAL_SPAM_MEDIUM(0.92)[0.922]; GREYLIST(0.00)[pass,meta]; RECEIVED_SPAMHAUS_PBL(0.00)[172.58.142.139:received]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_SPAM_LONG(0.96)[0.958]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:160, ipnet:128.135.0.0/16, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions]; DMARC_POLICY_SOFTFAIL(0.10)[uchicago.edu : No valid SPF, No valid DKIM,none] X-Spam: Yes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2020 19:22:45 -0000 > On Sep 12, 2020, at 1:58 PM, Dale Scott wrote: >=20 > Keep in mind there are several use cases for LetsEncrypt. When I used = LetsEncrypt to create a certificate I used the port 80 authentication = method and had to shutdown apache during the procedure (restarting = afterwards). Using certbot to renew the certificate is a different = process and does not require shutting down services using port 80. >=20 Thank you, Dale! That is what Gary probably meant, and I with my = restricted knowledge of options, didn=E2=80=99t realize that. Sorry, = Gary, about my comment, now with Dale=E2=80=99s explanation I know what = you meant. Valeri > ----- Original Message ----- >> From: "Valeri Galtsev" >> To: "Kevin P. Neal" >> Cc: "freebsd-questions" >> Sent: Saturday, September 12, 2020 10:17:06 AM >> Subject: Re: py37-certbot question >=20 >>> On Sep 12, 2020, at 12:57 AM, Kevin P. Neal = wrote: >>>=20 >>> On Thu, Sep 10, 2020 at 09:26:34PM -0600, Gary Aitken wrote: >>>> On by fbsd system I manually renew. My notes from 2019 say it is = necessary >>>> to stop the server before renewing because certbot starts its own = temporary >>>> one to do the upgrade. So I do the sequence: >>>> service apache24 stop >>>> certbot renew >>>> service apache24 start >>>>=20 >>>> It may be the py37 version stops and restarts the server; I haven't = tried it >>>> without stopping the server so I don't know. >>>=20 >>>> If it has been running weekly as a cron job, it should have been = renewed >>>> about three weeks ago. It should renew on the first attempt that = is less >>>> than 30 days until expiration. So it sounds like it is attempting = to >>>> renew but failing. It may be that if the server isn't stopped it = won't >>>> renew because it can't acquire the necessary port. >>>=20 >>> Wait, that doesn't sound right. I never, ever stop services to run = certbot >>> renew. Ever. I have it so that it reaches into the DocumentRoot(s) = of the >>> relevant virtual server(s) for the verification step. Then I copy = the new >>> certs to the relevant locations and bounce servers at that point. = But a >>> service outage is not required. >>>=20 >>> I even have my http servers redirect all traffic to the https server = EXCEPT >>> for the certbot traffic. It's another example of mod_rewrite being = one of >>> the most powerful tools around IMHO. >>>=20 >>> [kpn@gunsight1 ~]$ pkg info | grep certbot >>> py37-certbot-1.7.0,1 Let's Encrypt client >>> [kpn@gunsight1 ~]$ >>>=20 >>=20 >> Thank you, Gary and Kevin. I just had yet another cron.weekly happen = this >> morning, and the cert was not renewed. So, I run certbot renew = manually, and >> restarted apache. My trouble is in the way I configured renewal cron = job >> following somebody=E2=80=99s HOWTO, I will switch back to just a cron = job with >> appropriate explicit =E2=80=9Ccertbot renew =E2=80=A6=E2=80=9D = command after I check that python3 based >> certbot does have --post-hook to restart apache in the event of = successful cert >> renewal. >>=20 >> I=E2=80=99m sure Kevin is right: web server must be running when = certbot attempts to >> renew cert. It is necessary, as LetsEncrypt verifies that whatever = requests >> cert is capable of writing challenge sent to it into we directory. >>=20 >> Thanks again, everybody! >>=20 >> Valeri >>=20 >>> -- >>> Kevin P. Neal = http://www.pobox.com/~kpn/ >>>=20 >>> "What is mathematics? The age-old answer is, of course, that = mathematics >>> is what mathematicians do." - Donald Knuth >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org" >>=20 >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org"