From nobody Sun Apr 21 15:23:27 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VMsbf1cyRz5H9gr for ; Sun, 21 Apr 2024 15:23:42 +0000 (UTC) (envelope-from paulbeard@gmail.com) Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VMsbd3KCwz4HDg for ; Sun, 21 Apr 2024 15:23:41 +0000 (UTC) (envelope-from paulbeard@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=MCEJRTtK; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of paulbeard@gmail.com designates 2a00:1450:4864:20::533 as permitted sender) smtp.mailfrom=paulbeard@gmail.com Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-5708d8beec6so4439061a12.0 for ; Sun, 21 Apr 2024 08:23:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713713019; x=1714317819; darn=freebsd.org; h=cc:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=XIFUInE+TAW3C56Pc5ylCzHvr4MAM4A/i0NfleC3XEM=; b=MCEJRTtKqbuYLWTS7TIe8w08tItcpty3L//r14s96lg8xPfppTjekZhhIDCBT0V6Rr ByDbm8qYKLMnCKXEw2nKX+jf1O/OCKNQr6nARka7JmJrRAq2T7OwNuWox1RnN393Fy5C MMaRrP0ec+0Pbhpvm6KUzcxR5diIed1kHfa5QT8iWvPofL5DsAGy3IFDZM3XSYFFNnH5 n+XE4VhjgdgYYpIJcQia6po+b73xv92Uw1LithHZ2iK/b9GVzMXIWARejsyDxH+qmIN7 z2TdhUB8J4twxBuFiKnEkLNmmOlnJmOvXtUCyU/VloWzKC5UA75PSQiWoIORJLoGXX53 urYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713713019; x=1714317819; h=cc:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=XIFUInE+TAW3C56Pc5ylCzHvr4MAM4A/i0NfleC3XEM=; b=NA5UB3VBwcRPH4zse9B7WSs9IrzByIumiTXbvXKaKdQNItvp4UJtm70uRO1iT+CRFI QA+zSck7OSXrE3/xaneask7M4XY3xQ9C01J9bEyHo7DbJ9+rhhK+S3pexoR94Z8P8kpF xgqgjVnzZQ332AEO4izaYjr20bNDI4mXvNIiYEQ6UUo9Slk0kezQI+B7IsBbnZRY2Hjk tdAHlKwC2XtLtUtEZGSW3m/KWzk0DJx7xUokVWgRUK+1w2lnnRBBD6fzDPzxPrr1sahP XG7awUcdOLzYa8gETc4s5TlAQ8bivxvtYQRHhgdmOjehtvUJxzIK09rpSgOTsgPLyKGj Qhqg== X-Gm-Message-State: AOJu0YzDOKb9O42vpoGW1CPzF5gcA5K+uexmVvtzxz0PjK9dl24XYWNL TcsnOkcf9rySwaHIBxxh5FjE9ebJcOgVAaTw24I9wZASp3t5nPa9bZ5EG6aBoaLCBLJM+438lsZ 4HCHKR+Q23qzCAxz1FGEFVQFKcwKKSnDu X-Google-Smtp-Source: AGHT+IF+ULM8cpECm0DK+nmOy0uZMA3pqHKO+kzvFNtVRl5FrqXUNrFL2VNDzxeTWg9+l7J1sdqVMjLEPV2y5GB8bdc= X-Received: by 2002:a17:906:164f:b0:a52:225b:602a with SMTP id n15-20020a170906164f00b00a52225b602amr7577675ejd.7.1713713019350; Sun, 21 Apr 2024 08:23:39 -0700 (PDT) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 References: <20240421024338.4F7E5891631C@ary.qy> <009a01da93e5$59332990$0b997cb0$@videotron.ca> In-Reply-To: <009a01da93e5$59332990$0b997cb0$@videotron.ca> From: paul beard Date: Sun, 21 Apr 2024 08:23:27 -0700 Message-ID: Subject: Re: certbot Cc: freebsd-questions Content-Type: multipart/alternative; boundary="000000000000c3fb5106169ce763" X-Spamd-Bar: - X-Spamd-Result: default: False [-1.99 / 15.00]; MISSING_TO(2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.992]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_TLS_LAST(0.00)[]; TO_DN_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCPT_COUNT_ONE(0.00)[1]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; MISSING_XM_UA(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; MID_RHS_MATCH_FROMTLD(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; RCVD_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::533:from] X-Rspamd-Queue-Id: 4VMsbd3KCwz4HDg --000000000000c3fb5106169ce763 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Just to add a little more detail=E2=80=A6that randomized cron job ran at 12= :34 (called at midnight). It runs weekly, perhaps overkill, considering the ways expirations are managed: The following certificates are not due for renewal yet: /usr/local/etc/letsencrypt/live/cloud.paulbeard.org/fullchain.pem expires on 2024-05-25 (skipped) /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem expires on 2024-06-15 (skipped) /usr/local/etc/letsencrypt/live/www.paulbeard.org/fullchain.pem expires on 2024-06-15 (skipped) No renewals were attempted. No hooks were run. Maybe I'll change it to monthly. On Sun, Apr 21, 2024 at 5:14=E2=80=AFAM Paul Kagan wr= ote: > I use certbot on FreeBSD 14 and it works fine there was a thread that I d= id > that answers this question... just to modify the script to not use the > legacy open ssl.. > > -----Message d'origine----- > De : owner-freebsd-questions@FreeBSD.org > De la part de Souji Thenria > Envoy=C3=A9 : samedi 20 avril 2024 23:42 > =C3=80 : paul beard ; John Levine > Cc : freebsd-questions@freebsd.org > Objet : Re: certbot > > On Sun Apr 21, 2024 at 4:13 AM BST, paul beard wrote: > > The question at hand is why OP can't use something as straightforward > > as what I run. Why does he need to run it with environment variables > > where I don't? > > FreeBSD 14 uses a newer OpenSSL version, which probably disables some old= er > algorithms that are needed by certbot. > > You don't have this problem since you are running FreeBSD 13, which still > uses the older OpenSSL version and supports those algorithms by default. > > > > --=20 Paul Beard / www.paulbeard.org/ --000000000000c3fb5106169ce763 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Just to add a little more detail=E2=80=A6that randomized c= ron job ran at 12:34 (called at midnight).=C2=A0

It runs= weekly, perhaps overkill, considering the ways expirations are managed:=C2= =A0

The following certifi= cates are not due for renewal yet:
=C2=A0 /usr/local/etc/letsencrypt/liv= e/cloud.paulbeard.org/fullchain.pem=C2=A0expires on 2024-05-25 (skipped)
=C2= =A0 /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem=C2=A0expires on 2024-0= 6-15 (skipped)
=C2=A0 /usr/local/etc/letsencrypt/live/www.p= aulbeard.org/fullchain.pem= =C2=A0expires on 2024-06-15 (skipped)
No renewals were attempted.=
No hooks were run.

Maybe I'll change it t= o monthly.=C2=A0

On Sun, Apr 21, 2024 at 5:14=E2=80=AFAM Paul = Kagan <pkagan@v= ideotron.ca> wrote:
I use certbot on FreeB= SD 14 and it works fine there was a thread that I did
that answers this question... just to modify the script to not use the
legacy open ssl..

-----Message d'origine-----
De=C2=A0: owner-freebsd-questions@FreeBSD.org
<owner-freebsd-questions@FreeBSD.org> De la part de Souji Thenria
Envoy=C3=A9=C2=A0: samedi 20 avril 2024 23:42
=C3=80=C2=A0: paul beard <paulbeard@gmail.com>; John Levine <johnl@iecc.com>
Cc=C2=A0: freebsd-questions@freebsd.org
Objet=C2=A0: Re: certbot

On Sun Apr 21, 2024 at 4:13 AM BST, paul beard wrote:
> The question at hand is why OP can't use something as straightforw= ard
> as what I run. Why does he need to run it with environment variables <= br> > where I don't?

FreeBSD 14 uses a newer OpenSSL version, which probably disables some older=
algorithms that are needed by certbot.

You don't have this problem since you are running FreeBSD 13, which sti= ll
uses the older OpenSSL version and supports those algorithms by default.




--
Pa= ul Beard / www.paul= beard.org/
--000000000000c3fb5106169ce763--