Date: Sat, 12 Sep 2020 11:17:06 -0500 From: Valeri Galtsev <galtsev@kicp.uchicago.edu> To: "Kevin P. Neal" <kpn@neutralgood.org> Cc: Gary Aitken <freebsd@dreamchaser.org>, FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: py37-certbot question Message-ID: <5B49B57A-4867-4081-8C55-5DCE95BC5B93@kicp.uchicago.edu> In-Reply-To: <20200912055706.GB19136@neutralgood.org> References: <f3481d62-9c16-4740-f1b1-c808beb5998c@kicp.uchicago.edu> <f787760e-cc26-680b-a9b2-12898ae9d519@dreamchaser.org> <20200912055706.GB19136@neutralgood.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sep 12, 2020, at 12:57 AM, Kevin P. Neal <kpn@neutralgood.org> = wrote: >=20 > On Thu, Sep 10, 2020 at 09:26:34PM -0600, Gary Aitken wrote: >> On by fbsd system I manually renew. My notes from 2019 say it is = necessary >> to stop the server before renewing because certbot starts its own = temporary >> one to do the upgrade. So I do the sequence: >> service apache24 stop >> certbot renew >> service apache24 start >>=20 >> It may be the py37 version stops and restarts the server; I haven't = tried it >> without stopping the server so I don't know. >=20 >> If it has been running weekly as a cron job, it should have been = renewed >> about three weeks ago. It should renew on the first attempt that is = less >> than 30 days until expiration. So it sounds like it is attempting to >> renew but failing. It may be that if the server isn't stopped it = won't >> renew because it can't acquire the necessary port. >=20 > Wait, that doesn't sound right. I never, ever stop services to run = certbot > renew. Ever. I have it so that it reaches into the DocumentRoot(s) of = the > relevant virtual server(s) for the verification step. Then I copy the = new > certs to the relevant locations and bounce servers at that point. But = a > service outage is not required. >=20 > I even have my http servers redirect all traffic to the https server = EXCEPT > for the certbot traffic. It's another example of mod_rewrite being one = of > the most powerful tools around IMHO. >=20 > [kpn@gunsight1 ~]$ pkg info | grep certbot > py37-certbot-1.7.0,1 Let's Encrypt client > [kpn@gunsight1 ~]$=20 >=20 Thank you, Gary and Kevin. I just had yet another cron.weekly happen = this morning, and the cert was not renewed. So, I run certbot renew = manually, and restarted apache. My trouble is in the way I configured = renewal cron job following somebody=E2=80=99s HOWTO, I will switch back = to just a cron job with appropriate explicit =E2=80=9Ccertbot renew = =E2=80=A6=E2=80=9D command after I check that python3 based certbot does = have --post-hook to restart apache in the event of successful cert = renewal. I=E2=80=99m sure Kevin is right: web server must be running when certbot = attempts to renew cert. It is necessary, as LetsEncrypt verifies that = whatever requests cert is capable of writing challenge sent to it into = we directory. Thanks again, everybody! Valeri > --=20 > Kevin P. Neal = http://www.pobox.com/~kpn/ >=20 > "What is mathematics? The age-old answer is, of course, that = mathematics > is what mathematicians do." - Donald Knuth > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5B49B57A-4867-4081-8C55-5DCE95BC5B93>