Acme client not updating keys automatically

Jim Ohlstein jim at mailman-hosting.com
Wed May 24 18:45:12 UTC 2017 

Hello,

On 05/24/2017 02:31 PM, Jim Ohlstein wrote:
> Hello,
> 
> On 05/24/2017 11:56 AM, Frank Shute wrote:
>> On Tue, May 23, 2017 at 08:23:24AM -0400, David Mehler wrote:
>>>
>>> Hello,
>>>
>>> I've got a Freebsd 10.3 system running several ssl-enabled web
>>> servers. I've got letsencrypt keys for all of them. I'm using
>>> py27-certbot (am not stuck on it so if there's an alternative), and
>>> have a cron job set to check keys and update them by doing a certbot
>>> renew.
>>>
>>> I thought something was wrong when I kept getting key expirey notices
>>> from letsencrypt, then I checked a site and got a key has expired
>>> message.
>>>
>>> Suggestions welcome.
>>>
>>> Thanks.
>>> Dave.
>>
>> Hi Dave,
>>
>>
>> I'll venture forth an opinion that is maybe a bit controversial.
>>
>> The certbot written in python 2.7, as recommended by Letsencrypt, is a 
>> bit
>> crap IMHO.
> 
> Not tryinh to start a fight (Honets!), but I'm curious as to how you 
> arrived at that opinion. Code analysis, use for purpose, or just a 
> general opinion of Python kiddie coders?
> 
> I ask because I use it, and it suits my purpose just fine. Of course I 
> use a few domain/multi-subdomain certs, and I simply force renew them 
> manually the first week of every other month. Doesn't take more than a 
> few minutes for the whole process inclusing reloading nginx, Postfix, 
> Dovecot, etc. Only glitch was recently when one dependency got ahead of 
> py-certbot. A suitable patch was available within a day or so.
> 
>>
>> It's possibly fine if you're running a vanilla LAMP stack but start doing
>> such things as s/Linux/FreeBSD/ and s/Apache/Nginx/ and you rapidly 
>> end up
>> in trouble.
>>
>> My preference is either for acme.sh:
>>
>> https://github.com/Neilpang/acme.sh
>>
>> which is an acme client written in portable (POSIX) shell.
>>
>> Or: security/acme-client in ports which is written in C by a BSD bloke.
> 
> I didn't realize that existed. Thanks!

Add: it has a build dependency on libressl, which apparently makes it a 
non-starter for portmaster and portupgrade users who rely on the openssl 
port. It works fine with poudriere, and probably also with synth.

> 
>>
>> In my experience, the problem with software written in Python is that
>> because the barrier to entry is so low, is that even a mouth-breathing,
>> window-licking, know-nothing moron can write Python...and sure as shit,
>> they invariably do.
> 
> Tell us how you really feel. ;)
> 
>>
>> To be fair, I think a lot of that type are now picking up on 
>> Javascript and
>> it's bastard brethren. We've already seen a text editor written in it and
>> I feel it can be only a matter of time before they set their sights on a
>> RTOS...for suitably low values of "real time".
>>
>>
>> Regards,
>>
> 

-- 
Jim Ohlstein
Professional Mailman Hosting
https://mailman-hosting.com/

More information about the freebsd-questions mailing list