Date: Sat, 12 Sep 2020 12:58:38 -0600 (MDT) From: Dale Scott <dalescott@shaw.ca> To: Valeri Galtsev <galtsev@kicp.uchicago.edu> Cc: "Kevin P. Neal" <kpn@neutralgood.org>, freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: py37-certbot question Message-ID: <1326116098.397847941.1599937118319.JavaMail.zimbra@shaw.ca> In-Reply-To: <5B49B57A-4867-4081-8C55-5DCE95BC5B93@kicp.uchicago.edu> References: <f3481d62-9c16-4740-f1b1-c808beb5998c@kicp.uchicago.edu> <f787760e-cc26-680b-a9b2-12898ae9d519@dreamchaser.org> <20200912055706.GB19136@neutralgood.org> <5B49B57A-4867-4081-8C55-5DCE95BC5B93@kicp.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Keep in mind there are several use cases for LetsEncrypt. When I used LetsE= ncrypt to create a certificate I used the port 80 authentication method and= had to shutdown apache during the procedure (restarting afterwards). Using= certbot to renew the certificate is a different process and does not requi= re shutting down services using port 80. ----- Original Message ----- > From: "Valeri Galtsev" <galtsev@kicp.uchicago.edu> > To: "Kevin P. Neal" <kpn@neutralgood.org> > Cc: "freebsd-questions" <freebsd-questions@freebsd.org> > Sent: Saturday, September 12, 2020 10:17:06 AM > Subject: Re: py37-certbot question >> On Sep 12, 2020, at 12:57 AM, Kevin P. Neal <kpn@neutralgood.org> wrote: >>=20 >> On Thu, Sep 10, 2020 at 09:26:34PM -0600, Gary Aitken wrote: >>> On by fbsd system I manually renew. My notes from 2019 say it is neces= sary >>> to stop the server before renewing because certbot starts its own tempo= rary >>> one to do the upgrade. So I do the sequence: >>> service apache24 stop >>> certbot renew >>> service apache24 start >>>=20 >>> It may be the py37 version stops and restarts the server; I haven't tri= ed it >>> without stopping the server so I don't know. >>=20 >>> If it has been running weekly as a cron job, it should have been renewe= d >>> about three weeks ago. It should renew on the first attempt that is le= ss >>> than 30 days until expiration. So it sounds like it is attempting to >>> renew but failing. It may be that if the server isn't stopped it won't >>> renew because it can't acquire the necessary port. >>=20 >> Wait, that doesn't sound right. I never, ever stop services to run certb= ot >> renew. Ever. I have it so that it reaches into the DocumentRoot(s) of th= e >> relevant virtual server(s) for the verification step. Then I copy the ne= w >> certs to the relevant locations and bounce servers at that point. But a >> service outage is not required. >>=20 >> I even have my http servers redirect all traffic to the https server EXC= EPT >> for the certbot traffic. It's another example of mod_rewrite being one o= f >> the most powerful tools around IMHO. >>=20 >> [kpn@gunsight1 ~]$ pkg info | grep certbot >> py37-certbot-1.7.0,1 Let's Encrypt client >> [kpn@gunsight1 ~]$ >>=20 >=20 > Thank you, Gary and Kevin. I just had yet another cron.weekly happen this > morning, and the cert was not renewed. So, I run certbot renew manually, = and > restarted apache. My trouble is in the way I configured renewal cron job > following somebody=E2=80=99s HOWTO, I will switch back to just a cron job= with > appropriate explicit =E2=80=9Ccertbot renew =E2=80=A6=E2=80=9D command af= ter I check that python3 based > certbot does have --post-hook to restart apache in the event of successfu= l cert > renewal. >=20 > I=E2=80=99m sure Kevin is right: web server must be running when certbot = attempts to > renew cert. It is necessary, as LetsEncrypt verifies that whatever reques= ts > cert is capable of writing challenge sent to it into we directory. >=20 > Thanks again, everybody! >=20 > Valeri >=20 >> -- >> Kevin P. Neal http://www.pobox.com/~kpn/ >>=20 >> "What is mathematics? The age-old answer is, of course, that mathematics >> is what mathematicians do." - Donald Knuth >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.= org" >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1326116098.397847941.1599937118319.JavaMail.zimbra>