On Mon, 9 Sep 2019 12:12:55 +0200 (CEST)
Trond Endrest?l <trond.endrestol at ximalas.info> wrote:
> On Mon, 9 Sep 2019 16:06+0700, Victor Sudakov wrote:
>
> > The majority is for py-certbot, so I'll probably use it. Thank
you.
>
> I have found it prudent to run certbot twice a month from cron(8),
> just to be safe.
>
> Last year, I had one case where the certificate expired a few hours
> before the next run of certbot. Had I run certbot on the 1st and on
> the 15th day of each month, then the certificates would have been
> updated ahead of their expiration.
>
> E.g.:
>
> #minute hour mday month wday who command
>
> 52 4 1 * * root certbot renew --quiet --pre-hook "service apache24
stop" --post-hook "service apache24 start"
> 52 1 15 * * root certbot renew --quiet --pre-hook "service apache24
stop" --post-hook "service apache24 start"
I believe --dry-run renewal is encouraged. Both for testing on the
development side and to be sure all is running well on the user's side.
See "Help us test renewal with ?letsencrypt renew?
https://community.letsencrypt.org/t/help-us-test-renewal-with-letsencrypt-renew/10562
Q. What?s the new --dry-run flag?
A. The new --dry-run flag for both certonly and renew performs the
certificate request(s) against the staging server, which issues test
certificates that are not trusted by browsers. This verifies whether you?re
apparently able to get a certificate, in your current configuration, using
the method that you specified (for example, if you were using webroot
authentication, whether your webroot configuration is capable of being
validated by the CA). With --dry-run, the certificates obtained are not
actually saved to disk and your configuration is not updated. You can use
this to simulate what would apparently happen if you ran the command without
--dry-run.
FWIW, here is the link to my wrappers for certbot (last update June 2018)
https://github.com/vbotka/le-utils
For example below is a fragment from crontab.
1) Daily send email with certificates that expire within 30 days.
2) Daily dry-run renew all certificates.
3) Daily renew certificates that expire within 30 days.
#Ansible: check expiry of certificates
15 2 * * * /root/bin/leinfo -e --Days=30 -a
#Ansible: dry-run renewal of certificates
20 2 * * * /root/bin/lectl -s -n -c -a
#Ansible: renewal of certificates
20 3 * * * /root/bin/lectl -s -D=30 -c -a && /root/bin/lectl -s -p
&& /root/bin/leinfo -s -g -a
If all is right I get only emails with the renewals.
Cheers,
-vlado
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20190909/52ac99bd/attachment.sig>