From owner-freebsd-questions@freebsd.org Sat Sep 12 20:59:08 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 46C1B3E29C4 for ; Sat, 12 Sep 2020 20:59:08 +0000 (UTC) (envelope-from bob@proulx.com) Received: from havoc.proulx.com (havoc.proulx.com [96.88.95.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4BplNW1Rhxz4VgN for ; Sat, 12 Sep 2020 20:59:06 +0000 (UTC) (envelope-from bob@proulx.com) Received: from joseki.proulx.com (localhost [127.0.0.1]) by havoc.proulx.com (Postfix) with ESMTP id 0FA7212C for ; Sat, 12 Sep 2020 14:59:00 -0600 (MDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proulx.com; s=dkim2048; t=1599944340; bh=bVV+NJ5de8UUdztQtd+/bUqcYATUfievTLZMtlZpguU=; h=Date:From:To:Subject:References:In-Reply-To:From; b=mpW4ZrsG+7sYa9jAyEEeT4Ei0TUnsabNJQMSk6DERT5RwhQqpEYWBd9hG+Dq/P+dW TiOLjnszZmSeLgz43d9Q3rGrMYW9mygtlGgdZ9B2QhIbgmQovc7P6uAFwTA4UTm/Cz unix6SpjM9UYw55j9sMu+O84x+QjXRIMd11hwLnmOPD38Cx45jietK6PlQ1JStu5ZE 5ddX7QWxbHnOTzDsn56Ng8VWX8s05LMxPaMO8x2JGmuInkRiQ8efngsqE0wNxNz7vH rd4JhG+dWuSVXhZ7n2u1rjoms1SeIqLwvMSf5b3YAlgWkJw5cLz9NUlipHbqxHYo3p NC6r4ebBLiidQ== Received: from hysteria.proulx.com (hysteria.proulx.com [192.168.230.119]) by joseki.proulx.com (Postfix) with ESMTP id D9A6021156 for ; Sat, 12 Sep 2020 14:58:59 -0600 (MDT) Received: by hysteria.proulx.com (Postfix, from userid 1000) id B4B202DC9D; Sat, 12 Sep 2020 14:58:59 -0600 (MDT) Date: Sat, 12 Sep 2020 14:58:59 -0600 From: Bob Proulx To: freebsd-questions@freebsd.org Subject: Re: py37-certbot question Message-ID: <20200912143911564877110@bob.proulx.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4BplNW1Rhxz4VgN X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=proulx.com header.s=dkim2048 header.b=mpW4ZrsG; dmarc=pass (policy=none) header.from=proulx.com; spf=pass (mx1.freebsd.org: domain of bob@proulx.com designates 96.88.95.61 as permitted sender) smtp.mailfrom=bob@proulx.com X-Spamd-Result: default: False [-3.45 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.03)[-1.026]; R_DKIM_ALLOW(-0.20)[proulx.com:s=dkim2048]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.02)[-1.021]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[proulx.com:+]; DMARC_POLICY_ALLOW(-0.50)[proulx.com,none]; NEURAL_HAM_SHORT(-0.41)[-0.408]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:7922, ipnet:96.64.0.0/11, country:US]; MAILMAN_DEST(0.00)[freebsd-questions] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2020 20:59:08 -0000 Valeri Galtsev wrote: > I use certbot since its python 2 version - for quite some time actually to > renew LetsEncrypt certificates. With python2 version in the past I run cron > job daily and I was restarting apache from that same script if certificate > was updated. With python3 version when I switched to it I followed > somebody's HOWTO, and just added to /etc/periodic.conf: > > weekly_certbot_enable="YES" > weekly_certbot_service="apache24" ... > Or should I probably switch it over to daily cron job? Yes. Switch over to a daily cron job. And verify that email output from the cron job is successfully delivered and read so that problems can be seen and handled. I recall daily being the usual recommended rate. But time passes and things change and I do not find any recommendation now. Just their rate limits. https://letsencrypt.org/docs/rate-limits/ But all of my systems check daily. Monthly would be way too seldom and could be problematic. Weekly would be likely okay when everything always works perfectly. But daily seems more resilient when there are problems. Remember that the client does not attempt a renewal unless the certificate expiration is within 30 days. Therefore the client will not attempt a renewal no matter how often it is invoked for the first two months. Then when the certificate is within 30 days of expiring it will attempt to renew it. If that succeeds then once again it stops trying for two months. If it fails then upon the next invocation, in all of my cases the next day, it will try again. If something has broken where it fails until manual intervention fixes things then at most it would try and fail once per day when invoked daily and that is well safely within the allowed rate limits and is not a problem. Let me advocate for using "dehydrated" which is a simpler and IMNHO a much nicer client than the EFF "certbot". https://github.com/dehydrated-io/dehydrated When I first set up Let's Encrypt I chose the EFF Certbot client. For probably all of the same reasons anyone does. It's from the EFF so it is likely to be the best one, right? However in practice I found Certbot to be quite the behemoth. It wants to maintain a full virtual python environment and on my systems that was about 50MB of downloads that it would routinely try to update. And upon system upgrades it would break and I would need to get in there and fix things. Not so nice. Plus the user interface of it is not really to my liking. The way Certbot works is that it keeps its own state files as json format and one updates those using certbot commands. Rather like carving a sculture in clay you keep changing it until it is what you want and then you use it that way. This is fine of course. But it is not to my personal liking. I much prefer simply having plain text configuration files that I can set all at once to what is needed. Can be copied from one system to another as a template for the new system and then hacked into the new one. And then can keep those files in version control. Plus changes to those plain text files make plain text sense rather than json syntax sense. So eventually I switched from 'certbot' to 'dehydrated'. It is a single shell script. It's simple. Dehydrated is relatively small as compared with certbot. I can read it and understand what it is doing. However so far I haven't needed to do so because it has simply Just Worked. And has Just Worked across multiple systems and OS upgrades. If anyone reading this is like me and found Certbot to be large and unpleasantly heavy then perhaps give dehydrated a look. If you are like me then you might find it more suitable and more to your liking. Note that I am in no way associated with the dehydrated project. I am simply a happy user of it. Bob