From owner-freebsd-questions@freebsd.org Wed May 24 18:31:18 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52325D7C02C for ; Wed, 24 May 2017 18:31:18 +0000 (UTC) (envelope-from jim@mailman-hosting.com) Received: from maurice.jlkmail.com (maurice.jlkmail.com [IPv6:2604:4500:6:2a6:ec4:7aff:feb5:1bb2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 160661930 for ; Wed, 24 May 2017 18:31:17 +0000 (UTC) (envelope-from jim@mailman-hosting.com) Received: from maurice.jlkmail.com (localhost [127.0.0.1]) by maurice.jlkmail.com (Postfix) with ESMTP id E1275188088B for ; Wed, 24 May 2017 14:31:14 -0400 (EDT) Authentication-Results: maurice.jlkmail.com (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=mailman-hosting.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= mailman-hosting.com; h=content-transfer-encoding :content-language:content-type:content-type:in-reply-to :mime-version:user-agent:date:date:message-id:from:from :references:to:subject:subject; s=dkim; t=1495650673; x= 1496514674; bh=4vMBnCkrtxhtL58LNVL5It65wVyetLCWM/i1iBolH/c=; b=j X5GKbdk0VV665v3nYXc1K3N8Z3Rnt+7jBlFWme7KAGHG6eY7u3ro7fSHCd5WiKZK vTxdQHDJoAg3L4qTKQbAsLI2hiMq22HHLiQ/FFOEVZ7CErVXBZ2mWdHz2An2UNyv ZuQ++LOVBReseBmXW0X3Z7awf8bTo4VWBla9oad3y4= X-Virus-Scanned: Debian amavisd-new at maurice.jlkmail.com X-Spam-Flag: NO X-Spam-Score: -0.999 X-Spam-Level: X-Spam-Status: No, score=-0.999 tagged_above=-9999 required=6.31 tests=[ALL_TRUSTED=-1, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from maurice.jlkmail.com ([127.0.0.1]) by maurice.jlkmail.com (maurice.jlkmail.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id KDwr9PimFL-m for ; Wed, 24 May 2017 14:31:13 -0400 (EDT) Received: from [192.168.1.153] (static-70-104-198-154.nrflva.fios.verizon.net [70.104.198.154]) by maurice.jlkmail.com (Postfix) with ESMTPSA id 537631880836; Wed, 24 May 2017 14:31:13 -0400 (EDT) Subject: Re: Acme client not updating keys automatically To: David Mehler , freebsd-questions , Frank Shute References: <20170524155647.GE1232@lime.woodcruft.co.uk> From: Jim Ohlstein Message-ID: <2f52e790-3eff-3ca0-46c0-4336b8e38046@mailman-hosting.com> Date: Wed, 24 May 2017 14:31:12 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: <20170524155647.GE1232@lime.woodcruft.co.uk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2017 18:31:18 -0000 Hello, On 05/24/2017 11:56 AM, Frank Shute wrote: > On Tue, May 23, 2017 at 08:23:24AM -0400, David Mehler wrote: >> >> Hello, >> >> I've got a Freebsd 10.3 system running several ssl-enabled web >> servers. I've got letsencrypt keys for all of them. I'm using >> py27-certbot (am not stuck on it so if there's an alternative), and >> have a cron job set to check keys and update them by doing a certbot >> renew. >> >> I thought something was wrong when I kept getting key expirey notices >> from letsencrypt, then I checked a site and got a key has expired >> message. >> >> Suggestions welcome. >> >> Thanks. >> Dave. > > > Hi Dave, > > > I'll venture forth an opinion that is maybe a bit controversial. > > The certbot written in python 2.7, as recommended by Letsencrypt, is a bit > crap IMHO. Not tryinh to start a fight (Honets!), but I'm curious as to how you arrived at that opinion. Code analysis, use for purpose, or just a general opinion of Python kiddie coders? I ask because I use it, and it suits my purpose just fine. Of course I use a few domain/multi-subdomain certs, and I simply force renew them manually the first week of every other month. Doesn't take more than a few minutes for the whole process inclusing reloading nginx, Postfix, Dovecot, etc. Only glitch was recently when one dependency got ahead of py-certbot. A suitable patch was available within a day or so. > > It's possibly fine if you're running a vanilla LAMP stack but start doing > such things as s/Linux/FreeBSD/ and s/Apache/Nginx/ and you rapidly end up > in trouble. > > My preference is either for acme.sh: > > https://github.com/Neilpang/acme.sh > > which is an acme client written in portable (POSIX) shell. > > Or: security/acme-client in ports which is written in C by a BSD bloke. I didn't realize that existed. Thanks! > > In my experience, the problem with software written in Python is that > because the barrier to entry is so low, is that even a mouth-breathing, > window-licking, know-nothing moron can write Python...and sure as shit, > they invariably do. Tell us how you really feel. ;) > > To be fair, I think a lot of that type are now picking up on Javascript and > it's bastard brethren. We've already seen a text editor written in it and > I feel it can be only a matter of time before they set their sights on a > RTOS...for suitably low values of "real time". > > > Regards, > -- Jim Ohlstein Professional Mailman Hosting https://mailman-hosting.com/