Date: Sat, 12 Sep 2020 14:22:41 -0500 From: Valeri Galtsev <galtsev@kicp.uchicago.edu> To: Dale Scott <dalescott@shaw.ca> Cc: "Kevin P. Neal" <kpn@neutralgood.org>, freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: py37-certbot question Message-ID: <17D28CE2-BC63-4CC2-BB4E-9436BF0530B1@kicp.uchicago.edu> In-Reply-To: <1326116098.397847941.1599937118319.JavaMail.zimbra@shaw.ca> References: <f3481d62-9c16-4740-f1b1-c808beb5998c@kicp.uchicago.edu> <f787760e-cc26-680b-a9b2-12898ae9d519@dreamchaser.org> <20200912055706.GB19136@neutralgood.org> <5B49B57A-4867-4081-8C55-5DCE95BC5B93@kicp.uchicago.edu> <1326116098.397847941.1599937118319.JavaMail.zimbra@shaw.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sep 12, 2020, at 1:58 PM, Dale Scott <dalescott@shaw.ca> wrote: >=20 > Keep in mind there are several use cases for LetsEncrypt. When I used = LetsEncrypt to create a certificate I used the port 80 authentication = method and had to shutdown apache during the procedure (restarting = afterwards). Using certbot to renew the certificate is a different = process and does not require shutting down services using port 80. >=20 Thank you, Dale! That is what Gary probably meant, and I with my = restricted knowledge of options, didn=E2=80=99t realize that. Sorry, = Gary, about my comment, now with Dale=E2=80=99s explanation I know what = you meant. Valeri > ----- Original Message ----- >> From: "Valeri Galtsev" <galtsev@kicp.uchicago.edu> >> To: "Kevin P. Neal" <kpn@neutralgood.org> >> Cc: "freebsd-questions" <freebsd-questions@freebsd.org> >> Sent: Saturday, September 12, 2020 10:17:06 AM >> Subject: Re: py37-certbot question >=20 >>> On Sep 12, 2020, at 12:57 AM, Kevin P. Neal <kpn@neutralgood.org> = wrote: >>>=20 >>> On Thu, Sep 10, 2020 at 09:26:34PM -0600, Gary Aitken wrote: >>>> On by fbsd system I manually renew. My notes from 2019 say it is = necessary >>>> to stop the server before renewing because certbot starts its own = temporary >>>> one to do the upgrade. So I do the sequence: >>>> service apache24 stop >>>> certbot renew >>>> service apache24 start >>>>=20 >>>> It may be the py37 version stops and restarts the server; I haven't = tried it >>>> without stopping the server so I don't know. >>>=20 >>>> If it has been running weekly as a cron job, it should have been = renewed >>>> about three weeks ago. It should renew on the first attempt that = is less >>>> than 30 days until expiration. So it sounds like it is attempting = to >>>> renew but failing. It may be that if the server isn't stopped it = won't >>>> renew because it can't acquire the necessary port. >>>=20 >>> Wait, that doesn't sound right. I never, ever stop services to run = certbot >>> renew. Ever. I have it so that it reaches into the DocumentRoot(s) = of the >>> relevant virtual server(s) for the verification step. Then I copy = the new >>> certs to the relevant locations and bounce servers at that point. = But a >>> service outage is not required. >>>=20 >>> I even have my http servers redirect all traffic to the https server = EXCEPT >>> for the certbot traffic. It's another example of mod_rewrite being = one of >>> the most powerful tools around IMHO. >>>=20 >>> [kpn@gunsight1 ~]$ pkg info | grep certbot >>> py37-certbot-1.7.0,1 Let's Encrypt client >>> [kpn@gunsight1 ~]$ >>>=20 >>=20 >> Thank you, Gary and Kevin. I just had yet another cron.weekly happen = this >> morning, and the cert was not renewed. So, I run certbot renew = manually, and >> restarted apache. My trouble is in the way I configured renewal cron = job >> following somebody=E2=80=99s HOWTO, I will switch back to just a cron = job with >> appropriate explicit =E2=80=9Ccertbot renew =E2=80=A6=E2=80=9D = command after I check that python3 based >> certbot does have --post-hook to restart apache in the event of = successful cert >> renewal. >>=20 >> I=E2=80=99m sure Kevin is right: web server must be running when = certbot attempts to >> renew cert. It is necessary, as LetsEncrypt verifies that whatever = requests >> cert is capable of writing challenge sent to it into we directory. >>=20 >> Thanks again, everybody! >>=20 >> Valeri >>=20 >>> -- >>> Kevin P. Neal = http://www.pobox.com/~kpn/ >>>=20 >>> "What is mathematics? The age-old answer is, of course, that = mathematics >>> is what mathematicians do." - Donald Knuth >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org" >>=20 >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17D28CE2-BC63-4CC2-BB4E-9436BF0530B1>