Date: Thu, 10 Sep 2020 21:26:34 -0600 From: Gary Aitken <freebsd@dreamchaser.org> To: Valeri Galtsev <galtsev@kicp.uchicago.edu>, FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: py37-certbot question Message-ID: <f787760e-cc26-680b-a9b2-12898ae9d519@dreamchaser.org> In-Reply-To: <f3481d62-9c16-4740-f1b1-c808beb5998c@kicp.uchicago.edu> References: <f3481d62-9c16-4740-f1b1-c808beb5998c@kicp.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/10/20 3:48 PM, Valeri Galtsev wrote: > I hope, someone knows details of python3 based certbot. Namely, if > run with "update" command, it updated certificates that will expire > "soon". How soon, it doesn't say in man page, just soon. Does someone > know how close to expiration cert should be to be considered by the > script for renewal. 30 days. If you try to renew before that it doesn't renew. Unfortunately, that's less than the 31 days in some months, so a monthly cron job won't do it. I work on a ubuntu system with it set to weekly and for the first two months I get a weekly report from the cron job showing it tried to renew but didn't because there was too much time left on the certs. On by fbsd system I manually renew. My notes from 2019 say it is necessary to stop the server before renewing because certbot starts its own temporary one to do the upgrade. So I do the sequence: service apache24 stop certbot renew service apache24 start It may be the py37 version stops and restarts the server; I haven't tried it without stopping the server so I don't know. > I use certbot since its python 2 version - for quite some time > actually to renew LetsEncrypt certificates. With python2 version in > the past I run cron job daily and I was restarting apache from that > same script if certificate was updated. With python3 version when I > switched to it I followed somebody's HOWTO, and just added to > /etc/periodic.conf: > > weekly_certbot_enable="YES" weekly_certbot_service="apache24" > > And was living happily ever since. However, one of the machines is > about 4 days before expiration, Letsencrypt sent me notification: > update cert. I checked, and crond is runnning, /etc/periodic.conf is > as expected, and now, 4 days before expiration script (with --dry run > flag) indeed goes about renewing the cert. There is one weekly cron > jobs set that will happen before actual expiration of my certs, so I > somehow think all is OK and my cert will be renewed. > > But I am just curios how many days before expiration certbot does > renew certificate that will expire "soon". If it has been running weekly as a cron job, it should have been renewed about three weeks ago. It should renew on the first attempt that is less than 30 days until expiration. So it sounds like it is attempting to renew but failing. It may be that if the server isn't stopped it won't renew because it can't acquire the necessary port. > Or should I probably switch it over to daily cron job? That should not be necessary; weekly will work. Gary
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f787760e-cc26-680b-a9b2-12898ae9d519>